Linked by Thom Holwerda on Tue 5th Sep 2006 21:38 UTC
Internet Explorer Microsoft researchers are experimenting with an automatic code zapper for the company's Internet Explorer Web browser. Researchers at the company have completed work on a prototype framework called BrowserShield that promises to allow IE to intercept and remove, on the fly, malicious code hidden on Web pages, instead showing users safe equivalents of those pages.
Order by: Score:
v IE7
by MrEcho on Tue 5th Sep 2006 21:52 UTC
RE: IE7
by postmodern on Tue 5th Sep 2006 23:32 UTC in reply to "IE7"
postmodern Member since:
2006-01-27

This is not security.
This is a bandaide.

Reply Score: 1

RE[2]: IE7
by BluenoseJake on Wed 6th Sep 2006 15:54 UTC in reply to "RE: IE7"
BluenoseJake Member since:
2005-08-11

No, I'd say it's more like an antibody, eliminating threats as they enter the system, will it work? I don't know, but this could be added to your firewall and protect everything, not just IE. I wouldn't call it a bandaid at all

Reply Score: 1

RE[2]: IE7
by PJBonoVox on Wed 6th Sep 2006 21:51 UTC in reply to "RE: IE7"
PJBonoVox Member since:
2006-08-14

I don't agree that this is a bandaid.

To some extent, having smaller 'security' modules abstracted from the program itself allows much easier and quicker patching.

Reply Score: 1

Bloat
by sbenitezb on Tue 5th Sep 2006 21:54 UTC
sbenitezb
Member since:
2005-07-22

More bloat for a bad designed browser. Patch over patch.

Reply Score: 3

RE: Bloat
by ma_d on Tue 5th Sep 2006 22:57 UTC in reply to "Bloat"
ma_d Member since:
2005-06-29

You didn't read the article. It's browser agnostic in that it can be put in a firewall, among other places.

Reply Score: 4

RE[2]: Bloat
by r_a_trip on Tue 5th Sep 2006 23:34 UTC in reply to "RE: Bloat"
r_a_trip Member since:
2005-07-06

Browser agnostic in the sense that it could be put into another MS product. The technology will be unavailable to anything else but MS-ware.

Not that it gets my panties in a bunch. I know what I'm doing and non-MS OSes are a little more resilient.

Reply Score: 3

Is it just me?
by Bit_Rapist on Tue 5th Sep 2006 22:04 UTC
Bit_Rapist
Member since:
2005-11-13

Does it seem like MS's answer to everything is a new framework or a new kludge on top of existing software as an answer to everything ?

I swear the company spends more time writing security frameworks and anti-exploit tools for their own software then they do developing anything new.

Reply Score: 5

So what else is new?
by moleskine on Tue 5th Sep 2006 22:08 UTC
moleskine
Member since:
2005-11-05

Sounds as if you can get some of this already using Privoxy. As it's a local proxy you can set all your browsers to run through just the one programme. Works well here, anyway, on both Windows and Linux. It also nixes adverts which I can't imagine the MS stuff doing.

Reply Score: 2

Methinks...
by Archangel on Tue 5th Sep 2006 22:11 UTC
Archangel
Member since:
2005-07-23

...there's too much hype there. For example,
"BrowserShield transparently rewrote and rendered many familiar Web sites that use JavaScript, a scripting language that can be used to run arbitrary server-provided code on a client computer."
That's overstating things just a tad! If I didn't know better, I might think Javascript let the server send "format c:" to my machine, which would blithely run it.
Luckily that's not the case, despite Microsoft's best efforts at times - in theory at least Javascript is limited in what it can do.

Using a halfway decent browser, I don't feel any need to rewrite HTML on the fly. If code presented by a page is "potentially malicious" (of course just about anything is _potentially_ malicious, but obviously some things are worse than others), the browser shouldn't have any capability to display it.

Reply Score: 2

RE: Methinks...
by WorknMan on Tue 5th Sep 2006 22:21 UTC in reply to "Methinks..."
WorknMan Member since:
2005-11-13

That's overstating things just a tad! If I didn't know better, I might think Javascript let the server send "format c:" to my machine, which would blithely run it.
Luckily that's not the case, despite Microsoft's best efforts at times - in theory at least Javascript is limited in what it can do.


I wouldn't be so sure:
http://news.zdnet.com/2100-1009_22-6099891.html

The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user's browser, they said.

Reply Score: 4

Goodie!
by markob on Tue 5th Sep 2006 22:14 UTC
markob
Member since:
2005-07-06

Cool, I really can't wait for another Microsoft's security feature (TM) in my browser! Oh joy, oh hapiness, this will surely make my browser work faster and I won't have any problems[/sarcasm]

Reply Score: 2

Trustworthy?
by flanque on Tue 5th Sep 2006 22:47 UTC
flanque
Member since:
2005-12-15

Is it possible to trust that an organisation releases software which is insecure either 'by design' or through incompetance?

Seems rather ironic that they cannot be trusted to build a secure product from the ground up, but then expect to be trusted to throw a security blanket over it to fix the original problems?

Cannot trust one aspect, but can be trusted on another?

As far as I am concerned, the open source community is about the only one that can be 'most trusted' for software security.

Reply Score: 5

Firefox = Insecure by design?
by NotParker on Tue 5th Sep 2006 22:49 UTC
NotParker
Member since:
2006-06-01

"Users of the Firefox browser should be aware of their script settings when surfing the internet. Firefox extensions like 'Noscript,' which bars malacious Javascript from executing, are a wise idea. They help ensure that the browser offers as small of a target as possible to malware authors, claims an article in PC Professionell magazine.

The report in the Munich-based magazine notes that malware authors are increasingly occupying themselves with the alternative browser. This includes spam mails that attack vulnerabilities in Firefox. These messages attempt to lure the user into clicking on a web address that contains specific Javascripts. If the site recognizes Firefox as the visiting browser, then the scripts attempt to exploit an older security hole in the browser, for which a patch has now been released, to smuggle malware or spyware onto the computer."

http://tech.monstersandcritics.com/news/article_1187456.php/Be_awar...

Reply Score: 2

RE: Firefox = Insecure by design?
by Sphinx on Tue 5th Sep 2006 23:00 UTC in reply to "Firefox = Insecure by design?"
Sphinx Member since:
2005-07-09

If they weren't aware why would they be using firefox? Is that advice really specific to firefox? Could the same not apply to mosaic, internet explorer or lynx?

Reply Score: 1

NotParker Member since:
2006-06-01

"Is that advice really specific to firefox?"

In this case Yes.

http://secunia.com/advisories/18700/

"4) An input validation error in the processing of the attribute name when calling "XULDocument.persist()" can be exploited to inject arbitrary XML and JavaScript code in "localstore.rdf", which will be executed with the permissions of the browser the next time the browser starts up again."

And more in the same "patch".

Reply Score: 1

hal2k1 Member since:
2005-11-11

From the exact same page

http://secunia.com/advisories/18700/

Solution:
Update to versions 1.0.8 or 1.5.0.1.
http://www.mozilla.com/firefox/

Old news.

The current version of Firefox is 1.5.0.6

Reply Score: 1

Sphinx Member since:
2005-07-09

So this was fixed in a timely manner and has not been an issue for some time.

Reply Score: 1

Aussie_Bear Member since:
2006-01-12

"NotParker" says:

"Users of the Firefox browser should be aware of their script settings when surfing the internet. Firefox extensions like 'Noscript,' which bars malacious Javascript from executing, are a wise idea. They help ensure that the browser offers as small of a target as possible to malware authors, claims an article in PC Professionell magazine.

The report in the Munich-based magazine notes that malware authors are increasingly occupying themselves with the alternative browser. This includes spam mails that attack vulnerabilities in Firefox. These messages attempt to lure the user into clicking on a web address that contains specific Javascripts. If the site recognizes Firefox as the visiting browser, then the scripts attempt to exploit an older security hole in the browser, for which a patch has now been released, to smuggle malware or spyware onto the computer."


LOL! This has already been fixed!

Mission to undermine Firefox has failed.
*Press any key to continue*

:-D

Reply Score: 1

twenex Member since:
2006-04-21

-Imagines NotParker fumbling around for the Any key-

Reply Score: 2

I think it is a great idea
by proforma on Wed 6th Sep 2006 00:57 UTC
proforma
Member since:
2005-08-27

At least they are trying to fix some issues that other browsers won't even get to think about fixing.

The mental midgets on here are insane. Just because Microsoft wants to make something more secure and wants to add this to their browser which does not exist for other browsers and probably won't they are all jealous.

I think it is a great idea and I would like to see other browsers like Firefox to adopt something like this.

Screw the haters living in their parents house.

Reply Score: 3

Another layer of bandaids...
by StychoKiller on Wed 6th Sep 2006 04:15 UTC
StychoKiller
Member since:
2005-09-20

All the Bandaids in the world are not going to fix a
User's proclivity to stick their fingers in someplace
that they don't belong.
Nice try guys, why not make it
impossible to do bad things with iE?? Oh, that's right,
you would have to throw out backwards compatibility with
all of those fancy bells and whistles that you placed in the Windows OS back when it was only meant to run on non-networked PCs. Decisions, decisions (tsk).
Jim

Reply Score: 1

yea
by deanlinkous on Wed 6th Sep 2006 07:03 UTC
deanlinkous
Member since:
2006-06-19

I thought you needed a prescription for those shield barriers. Why not a more catchy name and slogan like
Browser Prophylactic - Dont get infected!
or similar?

Reply Score: 1

Security
by OSGuy on Wed 6th Sep 2006 12:49 UTC
OSGuy
Member since:
2006-01-01

I don't understand why is everyone attacking MS and their actions. I personaly don't favour MS but when someone is right, I do admit it. Looks like they get attacked either way regardless whether **they are doing **something** or not doing something about their security issues. E.g: when there were not any updates for IE until IE7

Also, if you trully undertstand things, you will know that the more user friendly something is, the more vulnerable is to attacks and security flaws so there is nothing surprising here. Yes, Linux is secure but it is not as user friendly as Windows. Even MacOS X has security issues and we all know it is a Unix/BSD...

Edited 2006-09-06 12:51

Reply Score: 2

OMG
by Ben Jao Ming on Wed 6th Sep 2006 13:19 UTC
Ben Jao Ming
Member since:
2005-07-26

So they just leave the security flaws inside the browser and instead do a kind of pattern matching on websites!? That's like completely retarded..

Reply Score: 2

I get this one
by Sphinx on Wed 6th Sep 2006 13:33 UTC
Sphinx
Member since:
2005-07-09

Don't fix the browser, fix the web, brilliant piece that.

Reply Score: 2

Will browser shield fix this?
by buff on Wed 6th Sep 2006 15:01 UTC
buff
Member since:
2005-11-12

After installing on a *virgin* XP system I rebooted and I immediately saw the "IE has performed a fatal exception error" and crashed on my very first login as admin. Will the browser shield shield me from this pain?

Reply Score: 1

They don't want to re write IE
by JeffS on Wed 6th Sep 2006 16:29 UTC
JeffS
Member since:
2005-07-12

Internet Explorer is so heavily embedded within Windows, and lot's of crucial functionality, that if MS were to completely re-write IE (as it desperately needs), they would destroy a lot of stuff in Windows.

Thus, MS have to put a blanket on top of IE to provide better security.

Actually, I applaud their efforts. They're actually trying to solve a problem.

Unfortunately, they're being forced (due to their bad design decisions of the past) to use a kludge/hack.

I'm just glad I use Linux most of the time, and when I'm on Windows, I use Opera or Seamonkey or Firefox.

Reply Score: 1

Misdirected efforts...
by EmmEff on Wed 6th Sep 2006 18:48 UTC
EmmEff
Member since:
2005-09-16

They should be working on "BrowserThanDoesntHaveGapingSecurityHolesInTheFirstPlace" instead of a band-aid fix for the mess that is IE.

Reply Score: 1

RE: Misdirected efforts...
by sappyvcv on Wed 6th Sep 2006 21:14 UTC in reply to "Misdirected efforts..."
sappyvcv Member since:
2005-07-06

... What do you think they are trying to do with IE7? Sheesh you people are rough.

Reply Score: 1

RE[2]: Misdirected efforts...
by hal2k1 on Thu 7th Sep 2006 03:57 UTC in reply to "RE: Misdirected efforts..."
hal2k1 Member since:
2005-11-11

//... What do you think they are trying to do with IE7? Sheesh you people are rough.//

Not at all.

All of Microsoft's security woes are of their own making.

They were so keen to try to lock the internet itself to Microsoft products (ie. how many sites have been in the past "IE only?") that they embedded their browser inextricably with their OS and they made their browser hopelessly non-complaint to standards. Embrace and extend.

Now because the browser is so integral to the OS, it intrinsically has too much authority within the OS and if exploited can do too much damage to the local OS installation, and at the same time it is insanely easy to exploit because it has access to far too much of the underlying OS functionality.

IE security, like much of windows security, is borked by design.

Microsoft's quest for customer lock-in to Microsoft products is the wholly transparent root cause of these problems.

Microsoft richly deserve every rant that is directed against them, and every pain that trying to fix the unfixable brings them.

Edited 2006-09-07 03:59

Reply Score: 1

RE[3]: Misdirected efforts...
by sappyvcv on Thu 7th Sep 2006 04:02 UTC in reply to "RE[2]: Misdirected efforts..."
sappyvcv Member since:
2005-07-06

Your post had nothing to do with what I, nor the GP poster, said.

Congratulations.

Reply Score: 1

RE[2]: Misdirected efforts...
by EmmEff on Fri 8th Sep 2006 02:50 UTC in reply to "Misdirected efforts..."
EmmEff Member since:
2005-09-16

IMHO, they would've been better off writing the browser from scratch... the maintenance costs alone for IE6 (and probably IE7) will probably be in the tens of millions. No joke.

Reply Score: 1