Hi malware fighters,
Internet Explorer 8 comes with all kind of new features
that makes computer crime a lot easier,
according to security vendor Websense the new Microsoft browser,
of which the first beta has been launched recently, supports cross-domain requests.
In this way attackers can more readily abuse certain vulnerabilities in websites…
As a rule cross-site-scripting leaks work through an img tag,
while this is one of the few features that are allowed to communicate out.
Through the new XDR objectan attacker may inject scriptcode
that directly communicated with the malicious server.
“Through this kind of direct communication it is expected
that injection payloads will get more complex and through various features.
Malicious frameworks can be builkt so the client can be in continuous
communication with the malicious server
to see what actions should be performed.
Stealing private data is only the beginning
of what these new technologies will accomplish,”
according to security researcher Joren McReynolds.
Websense makes it clear that the problem is not only in Internet Explorer 8,
because other browsers like Firefox will implement this also.
“The benefits of being able to directly communicate are that large
when product development and interactivity are concerned,
that other browser will bring this feature in.
Security and functionality are not the best matched pairt,
that leads to extrapolations without a clear solution in sight.”
Yes my malware fighters.
This here is a completely new feature: In Javascript an XmIHttpRequest
could only be sent to the same domain (‘same origin policy’).
This new interface does not have that restriction.
So a completely new and dangerous attack vector has been created,
polonus