Microsoft researchers are experimenting with an automatic code zapper for the company’s Internet Explorer Web browser. Researchers at the company have completed work on a prototype framework called BrowserShield that promises to allow IE to intercept and remove, on the fly, malicious code hidden on Web pages, instead showing users safe equivalents of those pages.
Ohh NOW there working on some extra security for IE.
They should have built it on .NET
This is not security.
This is a bandaide.
No, I’d say it’s more like an antibody, eliminating threats as they enter the system, will it work? I don’t know, but this could be added to your firewall and protect everything, not just IE. I wouldn’t call it a bandaid at all
I don’t agree that this is a bandaid.
To some extent, having smaller ‘security’ modules abstracted from the program itself allows much easier and quicker patching.
More bloat for a bad designed browser. Patch over patch.
You didn’t read the article. It’s browser agnostic in that it can be put in a firewall, among other places.
Browser agnostic in the sense that it could be put into another MS product. The technology will be unavailable to anything else but MS-ware.
Not that it gets my panties in a bunch. I know what I’m doing and non-MS OSes are a little more resilient.
Does it seem like MS’s answer to everything is a new framework or a new kludge on top of existing software as an answer to everything ?
I swear the company spends more time writing security frameworks and anti-exploit tools for their own software then they do developing anything new.
Sounds as if you can get some of this already using Privoxy. As it’s a local proxy you can set all your browsers to run through just the one programme. Works well here, anyway, on both Windows and Linux. It also nixes adverts which I can’t imagine the MS stuff doing.
…there’s too much hype there. For example,
“BrowserShield transparently rewrote and rendered many familiar Web sites that use JavaScript, a scripting language that can be used to run arbitrary server-provided code on a client computer.”
That’s overstating things just a tad! If I didn’t know better, I might think Javascript let the server send “format c:” to my machine, which would blithely run it.
Luckily that’s not the case, despite Microsoft’s best efforts at times – in theory at least Javascript is limited in what it can do.
Using a halfway decent browser, I don’t feel any need to rewrite HTML on the fly. If code presented by a page is “potentially malicious” (of course just about anything is _potentially_ malicious, but obviously some things are worse than others), the browser shouldn’t have any capability to display it.
That’s overstating things just a tad! If I didn’t know better, I might think Javascript let the server send “format c:” to my machine, which would blithely run it.
Luckily that’s not the case, despite Microsoft’s best efforts at times – in theory at least Javascript is limited in what it can do.
I wouldn’t be so sure:
http://news.zdnet.com/2100-1009_22-6099891.html
The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user’s browser, they said.
Cool, I really can’t wait for another Microsoft’s security feature (TM) in my browser! Oh joy, oh hapiness, this will surely make my browser work faster and I won’t have any problems[/sarcasm]
Is it possible to trust that an organisation releases software which is insecure either ‘by design’ or through incompetance?
Seems rather ironic that they cannot be trusted to build a secure product from the ground up, but then expect to be trusted to throw a security blanket over it to fix the original problems?
Cannot trust one aspect, but can be trusted on another?
As far as I am concerned, the open source community is about the only one that can be ‘most trusted’ for software security.
“Users of the Firefox browser should be aware of their script settings when surfing the internet. Firefox extensions like ‘Noscript,’ which bars malacious Javascript from executing, are a wise idea. They help ensure that the browser offers as small of a target as possible to malware authors, claims an article in PC Professionell magazine.
The report in the Munich-based magazine notes that malware authors are increasingly occupying themselves with the alternative browser. This includes spam mails that attack vulnerabilities in Firefox. These messages attempt to lure the user into clicking on a web address that contains specific Javascripts. If the site recognizes Firefox as the visiting browser, then the scripts attempt to exploit an older security hole in the browser, for which a patch has now been released, to smuggle malware or spyware onto the computer.”
http://tech.monstersandcritics.com/news/article_1187456.php/Be_awar…
If they weren’t aware why would they be using firefox? Is that advice really specific to firefox? Could the same not apply to mosaic, internet explorer or lynx?
“Is that advice really specific to firefox?”
In this case Yes.
http://secunia.com/advisories/18700/
“4) An input validation error in the processing of the attribute name when calling “XULDocument.persist()” can be exploited to inject arbitrary XML and JavaScript code in “localstore.rdf”, which will be executed with the permissions of the browser the next time the browser starts up again.”
And more in the same “patch”.
From the exact same page
http://secunia.com/advisories/18700/
Solution:
Update to versions 1.0.8 or 1.5.0.1.
http://www.mozilla.com/firefox/
Old news.
The current version of Firefox is 1.5.0.6
So this was fixed in a timely manner and has not been an issue for some time.
“NotParker” says:
“Users of the Firefox browser should be aware of their script settings when surfing the internet. Firefox extensions like ‘Noscript,’ which bars malacious Javascript from executing, are a wise idea. They help ensure that the browser offers as small of a target as possible to malware authors, claims an article in PC Professionell magazine.
The report in the Munich-based magazine notes that malware authors are increasingly occupying themselves with the alternative browser. This includes spam mails that attack vulnerabilities in Firefox. These messages attempt to lure the user into clicking on a web address that contains specific Javascripts. If the site recognizes Firefox as the visiting browser, then the scripts attempt to exploit an older security hole in the browser, for which a patch has now been released, to smuggle malware or spyware onto the computer.”
LOL! This has already been fixed!
Mission to undermine Firefox has failed.
*Press any key to continue*
😀
-Imagines NotParker fumbling around for the Any key-
At least they are trying to fix some issues that other browsers won’t even get to think about fixing.
The mental midgets on here are insane. Just because Microsoft wants to make something more secure and wants to add this to their browser which does not exist for other browsers and probably won’t they are all jealous.
I think it is a great idea and I would like to see other browsers like Firefox to adopt something like this.
Screw the haters living in their parents house.
All the Bandaids in the world are not going to fix a
User’s proclivity to stick their fingers in someplace
that they don’t belong. Nice try guys, why not make it
impossible to do bad things with iE?? Oh, that’s right,
you would have to throw out backwards compatibility with
all of those fancy bells and whistles that you placed in the Windows OS back when it was only meant to run on non-networked PCs. Decisions, decisions (tsk).
Jim
I thought you needed a prescription for those shield barriers. Why not a more catchy name and slogan like
Browser Prophylactic – Dont get infected!
or similar?
I don’t understand why is everyone attacking MS and their actions. I personaly don’t favour MS but when someone is right, I do admit it. Looks like they get attacked either way regardless whether **they are doing **something** or not doing something about their security issues. E.g: when there were not any updates for IE until IE7
Also, if you trully undertstand things, you will know that the more user friendly something is, the more vulnerable is to attacks and security flaws so there is nothing surprising here. Yes, Linux is secure but it is not as user friendly as Windows. Even MacOS X has security issues and we all know it is a Unix/BSD…
Edited 2006-09-06 12:51
So they just leave the security flaws inside the browser and instead do a kind of pattern matching on websites!? That’s like completely retarded..
Don’t fix the browser, fix the web, brilliant piece that.
After installing on a *virgin* XP system I rebooted and I immediately saw the “IE has performed a fatal exception error” and crashed on my very first login as admin. Will the browser shield shield me from this pain?
Internet Explorer is so heavily embedded within Windows, and lot’s of crucial functionality, that if MS were to completely re-write IE (as it desperately needs), they would destroy a lot of stuff in Windows.
Thus, MS have to put a blanket on top of IE to provide better security.
Actually, I applaud their efforts. They’re actually trying to solve a problem.
Unfortunately, they’re being forced (due to their bad design decisions of the past) to use a kludge/hack.
I’m just glad I use Linux most of the time, and when I’m on Windows, I use Opera or Seamonkey or Firefox.
They should be working on “BrowserThanDoesntHaveGapingSecurityHolesInTheFirstPlace” instead of a band-aid fix for the mess that is IE.
… What do you think they are trying to do with IE7? Sheesh you people are rough.
//… What do you think they are trying to do with IE7? Sheesh you people are rough.//
Not at all.
All of Microsoft’s security woes are of their own making.
They were so keen to try to lock the internet itself to Microsoft products (ie. how many sites have been in the past “IE only?”) that they embedded their browser inextricably with their OS and they made their browser hopelessly non-complaint to standards. Embrace and extend.
Now because the browser is so integral to the OS, it intrinsically has too much authority within the OS and if exploited can do too much damage to the local OS installation, and at the same time it is insanely easy to exploit because it has access to far too much of the underlying OS functionality.
IE security, like much of windows security, is borked by design.
Microsoft’s quest for customer lock-in to Microsoft products is the wholly transparent root cause of these problems.
Microsoft richly deserve every rant that is directed against them, and every pain that trying to fix the unfixable brings them.
Edited 2006-09-07 03:59
Your post had nothing to do with what I, nor the GP poster, said.
Congratulations.
IMHO, they would’ve been better off writing the browser from scratch… the maintenance costs alone for IE6 (and probably IE7) will probably be in the tens of millions. No joke.