IE 8 Security Features Could Be Turned Against Users, Researchers Say

The good news is that Microsoft's Internet Explorer 8 browser offers a new set of filters designed to prevent some cross-site scripting (XSS) attacks. The bad news is that those same filters could be used to enable XSS attacks.

That was the gist of a presentation offered today by security researchers David Lindsay and Eduardo Vela Nava at the Black Hat Europe conference in Barcelona, Spain.

In a paper (PDF) presented at the conference, the researchers described several methods that attackers could use to enable XSS on sites that would otherwise be immune to XSS.

"There's an irony here because you're using filters that are designed to improve security to launch attacks on sites that take security seriously," said Lindsay during a telephone interview prior to the presentation.

The vulnerabilities were found in several filters that Microsoft added to IE 8 to help identify and "neuter" simple XSS attacks, Lindsay explained.

"The filters work by scanning outbound requests for potential malicious strings," the paper states. "When such a string is detected, IE 8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server.

"If a match is made anywhere in the server's response, then the browser assumes that a reflected XSS attack is being conducted, and the browser will automatically alter the response so that the XSS attack will be unsucessful.

"The exact method used to alter a server's response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized, then a malicious script may still execute. On the other hand, it is also crucial that benign requests are not accidently detected.

"The Internet Explorer 8 team decided to use a 'neutering' technique to neutralize detected attacks. More specifically, when the the filters make a positive match against the server's response, the malicious part of the response will have a certain character modified so that the attack will not execute, or not render properly."

In their presentation, Lindsay and Vela Nava demonstrated several ways in which that simple character modification strategy could be abused to allow attacks on systems that otherwise would not be vulnerable to XSS.

"The neutering mechanism can be abused by an attacker to block benign content on a page," the paper says, altering the way a page is rendered. "For example, embedded JavaScript can be blocked from executing by 'faking' an XSS attack." This approach could paradoxically be used to disable JavaScript code that would otherwise protect the site, thus allowing an attack, the researchers say.

The researchers also outlined more complex attacks that also take advantage of the neutering mechanism.

Lindsay and Vela Nava notified Microsoft of their discovery earlier this year, and Microsoft subsequently issued a patch that alleviates the immediate problem. Google and other major sites have also been notified and have implemented fixes, as well, Lindsay says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message