Thursday, September 4th, 2008
Eric Lawrence posted on IE 8 security issues in the beta 2 release, which include:
In Internet Explorer 7, the following set of calls would succeed:
- // initial document.domain is app1.example.com
- document.domain = "app1.example.com"; // 1. Domain property set to default value
- document.domain = "example.com"; // 2. “Loosen” domain
- document.domain = "app1.example.com"; // 3. “Tighten” domain
In Internet Explorer 8 and other browsers, the 3rd assignment will throw an exception, because app1.example.com is not a suffix of the then-current value, example.com.
Put simply, once you’ve loosened document.domain, you cannot tighten it.
HTML5 also specifies the circumstances in which one frame is permitted to use the targetname parameter of a window.open() call to navigate another named frame or window.
The rules are meant to help prevent a window injection vulnerability. In a window injection attack, a malicious website in one browser frame attempts to “hijack” a frame or popup owned by a trusted webpage.
For instance, consider the scenario where http://contoso.com opens a popup window with the name helpPage.
- window.open("helpTopic.htm", "helpPage", "height=200,width=400");
If another page at http://evil.example.com attempts to hijack this window, like so:
- window.open("spoof.htm", "helpPage", "height=200,width=400");
…instead of navigating the helpPage window owned by Contoso.com, spoof.htm will instead open in a new browser window. While Internet Explorer 7 and 8 always show an address bar on every window, this new restriction makes window injection spoofs even less convincing.
MIME-Handling: Sniffing Opt-Out
As discussed in Part V of this blog series, Internet Explorer’s MIME-sniffing capabilities can lead to security problems for servers hosting untrusted content. At that time, we announced a new Content-Type attribute (named “authoritative”) which could be used to disable MIME-sniffing for a particular HTTP response.
Over the past two months, we’ve received significant community feedback that using a new attribute on the Content-Type header would create a deployment headache for server operators. To that end, we have converted this option into a full-fledged HTTP response header. Sending the new X-Content-Type-Options response header with the value nosniff will prevent Internet Explorer from MIME-sniffing a response away from the declared content-type.
For example, given the following HTTP-response:HTML4< view plain text >
- HTTP/1.1 200 OK
- Content-Length: 108
- Date: Thu, 26 Jun 2008 22:06:28 GMT
- Content-Type: text/plain;
- X-Content-Type-Options: nosniff
- <body bgcolor="#AA0000">
- This page renders as HTML source code (text) in IE8.
XSS Attack Surface Reduction: CSS Expressions Disabled IE8 Standards Mode
Also known as “Dynamic Properties,” CSS expressions are a proprietary extension to CSS that carry a high performance cost. CSS Expressions are also commonly used by attackers to evade server-side XSS Filters.
As of Beta 2, CSS expressions are not supported in IE8 Standards Mode. They are still supported in IE7 Strict and Quirks mode for backward compatibility. While the IE8 XSS Filter can block attempts to reflect CSS Expressions as part of an XSS attack, blocking them in IE8 Standards Mode brings a performance benefit, improves standards-compliance, and acts as an attack surface reduction against script injection attacks.
Posted by Dion Almaer at 7:43 am