Security Basics mailing list archives

RE: Internet Explorer 8 beta and xss filter...

From: "Mike Theriault" <Mike_Theriault () Jabil com>
Date: Wed, 9 Jul 2008 11:46:45 -0400

I'm glad to see that Microsoft is taking steps to improve the security of IE
as well. Let's not forget that type-1 XSS attacks can be prevented by
disabling active scripting.  Firefox in conjunction with "NoScript" has done
a great job in this area by allowing you to customize active scripting for a
given site, but unfortunately for IE it's all or nothing so disabling
scripting does not lend itself well to usability because so many sites
leverage it.  

I hope IE8 gives you a greater level of granularity and control over the
scripting runtime than what IE offers today. 

Regards,

Mike Theriault
Corporate Application Security Engineer
"We preserve our freedoms by using four boxes: soap, ballot, jury, and
cartridge."


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Adam Pal
Sent: Wednesday, July 09, 2008 7:50 AM
To: Jorge L. Vazquez
Cc: security-basics; security focus listbounce
Subject: Re: Internet Explorer 8 beta and xss filter...

Hello Jorge,

The link you submited describes the protection offered by IE8 as
"to protect against Type-1 XSS attacks", from this point of view  i`d
expect that the number of unintended attacks decrease.
Of course, there are also other types and the attackers will find a
possibility to pass through IE8-protection.

But i dont expect IE8 to _stop_ XSS, the attack is against a web
application, not against a browser, the point is just that it was not
visible to innocent users, which will change from now on.

I consider it as a "plus" for Microsoft that they take this threat
seriously and start integrating such protections into their own
browsers.

-- 
Best regards,
 Adam Pal   

Tuesday, July 8, 2008, 1:02:37 AM, you wrote:

<==============Original message text===============
JLV> hey guys...

JLV> just came across this article that describes the new security features
JLV> on IE 8 beta specially the XSS filter.

JLV>
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1319861,
00.html#

JLV> do you think this will put a stop on xss attacks by Microsoft and their
JLV> new browser?




JLV> thanks
JLV> Jorge L. Vazquez
JLV> www.pctechtips.org

<===========End of original message text===========

Attachment: smime.p7s
Description:

Current thread:

Internet Explorer 8 beta and xss filter... Jorge L. Vazquez (Jul 08)
- Re: Internet Explorer 8 beta and xss filter... Adam Pal (Jul 09)
  - RE: Internet Explorer 8 beta and xss filter... Mike Theriault (Jul 10)