Two IE8 security secrets users should love

Analysis
Apr 6, 20094 mins

IE8 includes more security tricks than any previous Microsoft browser. Many of them are well publicized, but several of them require digging and know how. Here are two from product tester Thomas Powell, as part of a larger browser review that revealed 15 secrets of IE8, Firefox and other next-gen browsers, published in Network World.

1. IE8 takes on cross-site scripting

Internet Explorer 8 tries to help stem the rising tide of XSS attacks by addressing what is dubbed a Type 1 or non-persistent XSS attack. To that end, Microsoft has added a filter to Internet Explorer 8 that looks at URLs for common patterns like found in the URL and then knocks it down, often by simply substituting a character. If such values should be legitimately found in a URL, it is possible to disable the feature by returning the HTTP header X-XSS-Protection with a value of 0 either at the server or application level.

There are also small developer focused XSS preventative measures in IE8 which apply to the new JavaScript toStaticHTML() method that can be used to purify received content that may include malicious script code in it. Making sure that site developers sanitize received content is a best practice that should be encouraged.

If a Web site links to another site’s JavaScript or consume received HTML or JavaScript payloads with little inspection, administrators and developers alike must realize that they are only as safe as what is linked to. Given the dynamic nature of JavaScript there is simply little end to the kind of mischief that can be achieved. Indeed the dark side of Web 2.0 is a naïve blind trust of end users and Web services on public facing sites, so while these browser changes may help address XSS in some ways, ultimately, they cannot solve the underlying problem of not acknowledging the security relationship implicitly in play.

2. MIME Smuggling: An ON/OFF Switch in IE 8

One annoying aspect of both the existing and upcoming versions of Internet Explorer is that far too often when Microsoft makes things easier for developers, it also consistently opens up troubling security problems for end users and site owners alike. (See slideshow image.)

A prime example is the MIME-sniffing process, where Internet Explorer looks inside of received responses and attempts to address the content appropriately with regards to what it sees in the body of the response, rather than as how it is actually labeled in the Content-Type header.

The problem here is that while this process may let developers and administrators off the hook in having to understand what MIME types and the Content-Type header are used for or configure them in applications or on servers, the result is a window for unscrupulous folks on the Internet to be able to smuggle content past any security or network filters that don’t perform deep packet inspection because they only look at header or file extension. When MIME smuggling is possible, XSS attacks also become possible in unexpected situations such as when there is a response, which is stamped as an image, but actually contains a malicious script that then gets executed.

Now, with IE8 Web site managers and application developers can turn off MIME sniffing by sending the X-Content-Type-Options: nosniff in responses, which should be set by Web administrators globally in Web server responses.

Like this and want to see more? Check out the other 13 secrets.

Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.) 5 Tactics Microsoft Is Using To Battle Linux for Cloud DominanceCloud computing explained in easy to understand termsFontList Fills Another Windows GapApril giveaways galore: Microsoft UC and Office 2007 books, free training from Global Knowledge Follow Microsoft Subnet on Twitter