http://www.osnews.com/story/15744/Microsoft_Research_Builds_BrowserShield_ Exploring the Future of Computing en-us Copyright 2001-2013, David Adams adam+nospam@osnews.com Tue, 21 May 2013 11:24:45 GMT http://www.osnews.com/images/osnews.gif http://www.osnews.com http://www.osnews.com/thread?159388 http://www.osnews.com/thread?159388 Ohh NOW there working on some extra security for IE.
They should have built it on .NET Tue, 05 Sep 2006 21:52:00 GMT donotreply@osnews.com (MrEcho) Comments http://www.osnews.com/thread?159391 http://www.osnews.com/thread?159391 More bloat for a bad designed browser. Patch over patch. Tue, 05 Sep 2006 21:54:00 GMT donotreply@osnews.com (sbenitezb) Comments http://www.osnews.com/thread?159400 http://www.osnews.com/thread?159400 Does it seem like MS's answer to everything is a new framework or a new kludge on top of existing software as an answer to everything ?

I swear the company spends more time writing security frameworks and anti-exploit tools for their own software then they do developing anything new. Tue, 05 Sep 2006 22:04:00 GMT donotreply@osnews.com (Bit_Rapist) Comments http://www.osnews.com/thread?159404 http://www.osnews.com/thread?159404 Sounds as if you can get some of this already using Privoxy. As it's a local proxy you can set all your browsers to run through just the one programme. Works well here, anyway, on both Windows and Linux. It also nixes adverts which I can't imagine the MS stuff doing. Tue, 05 Sep 2006 22:08:00 GMT donotreply@osnews.com (moleskine) Comments http://www.osnews.com/thread?159409 http://www.osnews.com/thread?159409 ...there's too much hype there. For example,
"BrowserShield transparently rewrote and rendered many familiar Web sites that use JavaScript, a scripting language that can be used to run arbitrary server-provided code on a client computer."
That's overstating things just a tad! If I didn't know better, I might think Javascript let the server send "format c:" to my machine, which would blithely run it.
Luckily that's not the case, despite Microsoft's best efforts at times - in theory at least Javascript is limited in what it can do.

Using a halfway decent browser, I don't feel any need to rewrite HTML on the fly. If code presented by a page is "potentially malicious" (of course just about anything is _potentially_ malicious, but obviously some things are worse than others), the browser shouldn't have any capability to display it. Tue, 05 Sep 2006 22:11:00 GMT donotreply@osnews.com (Archangel) Comments http://www.osnews.com/thread?159416 http://www.osnews.com/thread?159416 Cool, I really can't wait for another Microsoft's security feature (TM) in my browser! Oh joy, oh hapiness, this will surely make my browser work faster and I won't have any problems[/sarcasm] Tue, 05 Sep 2006 22:14:00 GMT donotreply@osnews.com (markob) Comments http://www.osnews.com/thread?159426 http://www.osnews.com/thread?159426 That's overstating things just a tad! If I didn't know better, I might think Javascript let the server send "format c:" to my machine, which would blithely run it.
Luckily that's not the case, despite Microsoft's best efforts at times - in theory at least Javascript is limited in what it can do.

I wouldn't be so sure:
http://news.zdnet.com/2100-1009_22-6099891.html

The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user's browser, they said. Tue, 05 Sep 2006 22:21:00 GMT donotreply@osnews.com (WorknMan) Comments http://www.osnews.com/thread?159445 http://www.osnews.com/thread?159445 Is it possible to trust that an organisation releases software which is insecure either 'by design' or through incompetance?

Seems rather ironic that they cannot be trusted to build a secure product from the ground up, but then expect to be trusted to throw a security blanket over it to fix the original problems?

Cannot trust one aspect, but can be trusted on another?

As far as I am concerned, the open source community is about the only one that can be 'most trusted' for software security. Tue, 05 Sep 2006 22:47:00 GMT donotreply@osnews.com (flanque) Comments http://www.osnews.com/thread?159447 http://www.osnews.com/thread?159447 "Users of the Firefox browser should be aware of their script settings when surfing the internet. Firefox extensions like 'Noscript,' which bars malacious Javascript from executing, are a wise idea. They help ensure that the browser offers as small of a target as possible to malware authors, claims an article in PC Professionell magazine.

The report in the Munich-based magazine notes that malware authors are increasingly occupying themselves with the alternative browser. This includes spam mails that attack vulnerabilities in Firefox. These messages attempt to lure the user into clicking on a web address that contains specific Javascripts. If the site recognizes Firefox as the visiting browser, then the scripts attempt to exploit an older security hole in the browser, for which a patch has now been released, to smuggle malware or spyware onto the computer."

http://tech.monstersandcritics.com/news/article_1187456.php/Be_awar... Tue, 05 Sep 2006 22:49:00 GMT donotreply@osnews.com (NotParker) Comments http://www.osnews.com/thread?159453 http://www.osnews.com/thread?159453 You didn't read the article. It's browser agnostic in that it can be put in a firewall, among other places. Tue, 05 Sep 2006 22:57:00 GMT donotreply@osnews.com (ma_d) Comments http://www.osnews.com/thread?159456 http://www.osnews.com/thread?159456 If they weren't aware why would they be using firefox? Is that advice really specific to firefox? Could the same not apply to mosaic, internet explorer or lynx? Tue, 05 Sep 2006 23:00:00 GMT donotreply@osnews.com (Sphinx) Comments http://www.osnews.com/thread?159464 http://www.osnews.com/thread?159464 "Is that advice really specific to firefox?"

In this case Yes.

http://secunia.com/advisories/18700/

"4) An input validation error in the processing of the attribute name when calling "XULDocument.persist()" can be exploited to inject arbitrary XML and JavaScript code in "localstore.rdf", which will be executed with the permissions of the browser the next time the browser starts up again."

And more in the same "patch". Tue, 05 Sep 2006 23:20:00 GMT donotreply@osnews.com (NotParker) Comments http://www.osnews.com/thread?159477 http://www.osnews.com/thread?159477 This is not security.
This is a bandaide. Tue, 05 Sep 2006 23:32:00 GMT donotreply@osnews.com (postmodern) Comments http://www.osnews.com/thread?159478 http://www.osnews.com/thread?159478 Browser agnostic in the sense that it could be put into another MS product. The technology will be unavailable to anything else but MS-ware.

Not that it gets my panties in a bunch. I know what I'm doing and non-MS OSes are a little more resilient. Tue, 05 Sep 2006 23:34:00 GMT donotreply@osnews.com (r_a_trip) Comments http://www.osnews.com/thread?159531 http://www.osnews.com/thread?159531 At least they are trying to fix some issues that other browsers won't even get to think about fixing.

The mental midgets on here are insane. Just because Microsoft wants to make something more secure and wants to add this to their browser which does not exist for other browsers and probably won't they are all jealous.

I think it is a great idea and I would like to see other browsers like Firefox to adopt something like this.

Screw the haters living in their parents house. Wed, 06 Sep 2006 00:57:00 GMT donotreply@osnews.com (proforma) Comments http://www.osnews.com/thread?159544 http://www.osnews.com/thread?159544 From the exact same page

http://secunia.com/advisories/18700/

Solution:
Update to versions 1.0.8 or 1.5.0.1.
http://www.mozilla.com/firefox/

Old news.

The current version of Firefox is 1.5.0.6 Wed, 06 Sep 2006 01:17:00 GMT donotreply@osnews.com (hal2k1) Comments http://www.osnews.com/thread?159597 http://www.osnews.com/thread?159597 "NotParker" says:

"Users of the Firefox browser should be aware of their script settings when surfing the internet. Firefox extensions like 'Noscript,' which bars malacious Javascript from executing, are a wise idea. They help ensure that the browser offers as small of a target as possible to malware authors, claims an article in PC Professionell magazine.

The report in the Munich-based magazine notes that malware authors are increasingly occupying themselves with the alternative browser. This includes spam mails that attack vulnerabilities in Firefox. These messages attempt to lure the user into clicking on a web address that contains specific Javascripts. If the site recognizes Firefox as the visiting browser, then the scripts attempt to exploit an older security hole in the browser, for which a patch has now been released, to smuggle malware or spyware onto the computer."

LOL! This has already been fixed!

Mission to undermine Firefox has failed.
*Press any key to continue*

:-D Wed, 06 Sep 2006 03:51:00 GMT donotreply@osnews.com (Aussie_Bear) Comments http://www.osnews.com/thread?159605 http://www.osnews.com/thread?159605 -Imagines NotParker fumbling around for the Any key- Wed, 06 Sep 2006 04:11:00 GMT donotreply@osnews.com (twenex) Comments http://www.osnews.com/thread?159607 http://www.osnews.com/thread?159607 All the Bandaids in the world are not going to fix a
User's proclivity to stick their fingers in someplace
that they don't belong. Nice try guys, why not make it
impossible to do bad things with iE?? Oh, that's right,
you would have to throw out backwards compatibility with
all of those fancy bells and whistles that you placed in the Windows OS back when it was only meant to run on non-networked PCs. Decisions, decisions (tsk).
Jim Wed, 06 Sep 2006 04:15:00 GMT donotreply@osnews.com (StychoKiller) Comments http://www.osnews.com/thread?159635 http://www.osnews.com/thread?159635 I thought you needed a prescription for those shield barriers. Why not a more catchy name and slogan like
Browser Prophylactic - Dont get infected!
or similar? Wed, 06 Sep 2006 07:03:00 GMT donotreply@osnews.com (deanlinkous) Comments http://www.osnews.com/thread?159718 http://www.osnews.com/thread?159718 I don't understand why is everyone attacking MS and their actions. I personaly don't favour MS but when someone is right, I do admit it. Looks like they get attacked either way regardless whether **they are doing **something** or not doing something about their security issues. E.g: when there were not any updates for IE until IE7

Also, if you trully undertstand things, you will know that the more user friendly something is, the more vulnerable is to attacks and security flaws so there is nothing surprising here. Yes, Linux is secure but it is not as user friendly as Windows. Even MacOS X has security issues and we all know it is a Unix/BSD...Edited 2006-09-06 12:51 Wed, 06 Sep 2006 12:49:00 GMT donotreply@osnews.com (OSGuy) Comments http://www.osnews.com/thread?159723 http://www.osnews.com/thread?159723 So they just leave the security flaws inside the browser and instead do a kind of pattern matching on websites!? That's like completely retarded.. Wed, 06 Sep 2006 13:19:00 GMT donotreply@osnews.com (Ben Jao Ming) Comments http://www.osnews.com/thread?159729 http://www.osnews.com/thread?159729 Don't fix the browser, fix the web, brilliant piece that. Wed, 06 Sep 2006 13:33:00 GMT donotreply@osnews.com (Sphinx) Comments http://www.osnews.com/thread?159730 http://www.osnews.com/thread?159730 So this was fixed in a timely manner and has not been an issue for some time. Wed, 06 Sep 2006 13:36:00 GMT donotreply@osnews.com (Sphinx) Comments http://www.osnews.com/thread?159763 http://www.osnews.com/thread?159763 After installing on a *virgin* XP system I rebooted and I immediately saw the "IE has performed a fatal exception error" and crashed on my very first login as admin. Will the browser shield shield me from this pain? Wed, 06 Sep 2006 15:01:00 GMT donotreply@osnews.com (buff) Comments http://www.osnews.com/thread?159793 http://www.osnews.com/thread?159793 No, I'd say it's more like an antibody, eliminating threats as they enter the system, will it work? I don't know, but this could be added to your firewall and protect everything, not just IE. I wouldn't call it a bandaid at all Wed, 06 Sep 2006 15:54:00 GMT donotreply@osnews.com (BluenoseJake) Comments http://www.osnews.com/thread?159810 http://www.osnews.com/thread?159810 Internet Explorer is so heavily embedded within Windows, and lot's of crucial functionality, that if MS were to completely re-write IE (as it desperately needs), they would destroy a lot of stuff in Windows.

Thus, MS have to put a blanket on top of IE to provide better security.

Actually, I applaud their efforts. They're actually trying to solve a problem.

Unfortunately, they're being forced (due to their bad design decisions of the past) to use a kludge/hack.

I'm just glad I use Linux most of the time, and when I'm on Windows, I use Opera or Seamonkey or Firefox. Wed, 06 Sep 2006 16:29:00 GMT donotreply@osnews.com (JeffS) Comments http://www.osnews.com/thread?159854 http://www.osnews.com/thread?159854 They should be working on "BrowserThanDoesntHaveGapingSecurityHolesInTheFirstPlace" instead of a band-aid fix for the mess that is IE. Wed, 06 Sep 2006 18:48:00 GMT donotreply@osnews.com (EmmEff) Comments http://www.osnews.com/thread?159939 http://www.osnews.com/thread?159939 ... What do you think they are trying to do with IE7? Sheesh you people are rough. Wed, 06 Sep 2006 21:14:00 GMT donotreply@osnews.com (sappyvcv) Comments http://www.osnews.com/thread?159961 http://www.osnews.com/thread?159961 I don't agree that this is a bandaid.

To some extent, having smaller 'security' modules abstracted from the program itself allows much easier and quicker patching. Wed, 06 Sep 2006 21:51:00 GMT donotreply@osnews.com (PJBonoVox) Comments http://www.osnews.com/thread?160064 http://www.osnews.com/thread?160064 //... What do you think they are trying to do with IE7? Sheesh you people are rough.//

Not at all.

All of Microsoft's security woes are of their own making.

They were so keen to try to lock the internet itself to Microsoft products (ie. how many sites have been in the past "IE only?") that they embedded their browser inextricably with their OS and they made their browser hopelessly non-complaint to standards. Embrace and extend.

Now because the browser is so integral to the OS, it intrinsically has too much authority within the OS and if exploited can do too much damage to the local OS installation, and at the same time it is insanely easy to exploit because it has access to far too much of the underlying OS functionality.

IE security, like much of windows security, is borked by design.

Microsoft's quest for customer lock-in to Microsoft products is the wholly transparent root cause of these problems.

Microsoft richly deserve every rant that is directed against them, and every pain that trying to fix the unfixable brings them.Edited 2006-09-07 03:59 Thu, 07 Sep 2006 03:57:00 GMT donotreply@osnews.com (hal2k1) Comments http://www.osnews.com/thread?160065 http://www.osnews.com/thread?160065 Your post had nothing to do with what I, nor the GP poster, said.

Congratulations. Thu, 07 Sep 2006 04:02:00 GMT donotreply@osnews.com (sappyvcv) Comments http://www.osnews.com/thread?160363 http://www.osnews.com/thread?160363 IMHO, they would've been better off writing the browser from scratch... the maintenance costs alone for IE6 (and probably IE7) will probably be in the tens of millions. No joke. Fri, 08 Sep 2006 02:50:00 GMT donotreply@osnews.com (EmmEff) Comments