Microsoft addresses XSS in Internet Explorer

Fugitif · 5 Jul 2008

Microsoft addresses XSS in Internet Explorer

Microsoft is planning to add a series of new security features to the next version of its Internet Explorer browser, including protection against cross-site scripting attacks.

A beta version of IE 8 is due out in August, and along with the XSS filter, it will include a filter designed to provide better protection against phishing attacks, features that make it easier for developers to request resources and share information across domains, and some changes to the way that ActiveX controls are handled by the browser. Specifically, developers will be able to write controls that are only available for the individual user who downloads them..
The announcement of the new security features in IE 8 came just a week after the release of Firefox 3, the latest version of IE's main competition in the browser world. Firefox 3 also includes updated antimalware and antiphishing capabilities and several other security updates. Microsoft has been fighting to repair the security reputation of IE for several years, since the initial release of Firefox, which the Mozilla Foundation has positioned as a more secure alternative to IE.

But Microsoft has been making steady progress on the security of its ubiquitous browser in recent versions, and IE 8 serves to further that cause. The most intriguing and potentially most useful feature in the new browser is the XSS filter, which is built to protect against Type-1 XSS attacks. These attacks are among the more common ones online right now, and many non-technical users have little idea that they even exist, let alone what to do about them. The XSS filter in IE 8 monitors all of the requests and responses made by the browser and automatically disables XSS attacks when they're detected. Users will see a modified version of the requested page, showing them that the attack was blocked
Click to expand...

More:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1319861,00.html#

desTiny · 7 Jul 2008

offtop:Fugitif, i see you like talking to yourslf

very interesting, how do they detect whether the script is good or evil...

Flame of Soul · 7 Jul 2008

As though Microsoft did not try IE as was a donkey so faster and did not start to run.

Fugitif · 8 Jul 2008

Microsoft: Hackers Exploiting Unpatched Office Flaw

Microsoft: Hackers Exploiting Unpatched Office Flaw

.Microsoft today issued stopgap instructions for plugging a previously unknown security hole that hackers are currently using to break into Windows computers via the Internet Explorer (IE) Web browser.

The problem, once again, is with a faulty ActiveX control. ActiveX is a Windows technology that works through IE and allows Web sites to add software to the user's computer or interact with components in the Windows operating system. In this case, the insecure component is an ActiveX control called "Snapshot Viewer," which ships with all versions of Microsoft Office 2000, Office 2002, and Office 2003. The flawed ActiveX control also is also shipped with the standalone Snapshot Viewer.

Microsoft warns that merely browsing with IE to a malicious (or hacked) Web site that exploits this vulnerability could be enough to compromise your system. So far, Redmond says it is seeing only "limited, targeted attacks" leveraging the vulnerability.

But, of course, that situation could change at any time. One way to avoid worrying about these attacks is to use an alternative browser, such as Firefox or Opera. For those who wish to continue browsing with IE, Microsoft suggests a couple of workarounds.

One approach involves changing the default security level of IE's Internet Zone to "high," and/or disabling active scripting in the browser. This approach will likely disable Javascript on many Web sites, some of which may load strangely or simply fail to work altogether after this change.

Microsoft also offers a less painful solution that doesn't fix the underlying vulnerability but prevents it from being exploited via IE. While logged in under an administrator account, open up Notepad (Start, Programs, Accessories, Notepad), and then cut and paste the following text:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F2175210-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400

It doesn't matter what name you give the file when you save it, as long as the file ends in ".reg" (so for example, you might name it "fix.reg" without the double quotes, of course). Once you've saved the file, double click on it, and click "yes" when asked if you want to add the information to the Windows registry.
Click to expand...

http://blog.washingtonpost.com/securityfix/2008/07/microsoft_hackers_exploiting_u_2.html

Microsoft addresses XSS in Internet Explorer

Fugitif Elder - Старейшина

desTiny Elder - Старейшина

Flame of Soul Elder - Старейшина

Fugitif Elder - Старейшина

Useful Searches

Microsoft addresses XSS in Internet Explorer

Fugitif Elder - Старейшина

desTiny Elder - Старейшина

Flame of Soul Elder - Старейшина

Fugitif Elder - Старейшина