[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"

From: Mat Caughron <mat@xxxxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"
Date: Wed, 2 Jul 2008 14:42:19 -0500


Web App Security List'ers:

I'd love nothing more than to earnestly welcome Microsoft into the web security world, but after reading the link in Robert's post, I feel as if the major OWASP vulnerability classes just got hijacked by a marketing team.

Surely I'm not the only webappsec engineer here thinking that client-side cross site scripting mitigation is more than a little irrelevant.

Maybe "helps to mitigate"  should read "helps to obfuscate the real issues".

"And of course in addition to all of this we need to effectively counter all the XSS attack vectors not already addressed by other XSS-Focused Attack Surface Reduction measures." *

So now these experts are advocating blacklisting javascript malware on the client side? Between this and Google's safe web browsing API, maybe we should just purchase a monthly subscription for someone else to do all our web browsing for us.

How does the new browser with "Social Engineering Defenses" implement HTTP auth?

Hey, now we can all run out and buy the new extended validation SSL certs!


On the bright side, application protocol prompts is a welcome feature.

How big is the protected mode compiled code? Anyone stepped through that with IDA pro yet?

Another jewel: We've also introduced the XDomainRequest object to permit secure network retrieval of "public" data across domains.


Note the word public is in quotes.  Their quotes, people, not mine.

Dumbfounded, really,


Mat Caughron, CISSP
(408) 910-1266

* http://blogs.msdn.com/ie/archive/2008/07/01/ie8-security-part-iv-the-xss-filter.aspx

On Wed, 2 Jul 2008 robert@xxxxxxxxxxxxx wrote:


IE8 Security Part V: Comprehensive Protection
http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx

Some good stuff coming.

- Robert
http://www.webappsec.org/
http://www.qasec.com/
http://www.cgisecurity.com/

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"
  - From: kuza55
- RE: [WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"
  - From: Chris Weber \(Casaba Security\)

References:
- [WEB SECURITY] Microsoft Blog Outlines IE8 Security Changes
  - From: robert

Prev by Date: [WEB SECURITY] Microsoft Blog Outlines IE8 Security Changes
Next by Date: Re: [WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"
Previous by thread: [WEB SECURITY] Microsoft Blog Outlines IE8 Security Changes
Next by thread: Re: [WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site