RE: [WEB SECURITY] several IE8 features controversial at best "Onward to Beta-2 in August!"

["Chris Weber \(Casaba Security\)" <chris@xxxxxxxxxxxxxxxxxx>]

This response seems trigger-happy and dramatic. David Ross certainly isn't a
marketing guy... nobody's stealing OWASP terms and I don't think (sure hope)
they don't have a trademark on these vuln classes.  "Helps to mitigate"
seems honest enough, it's yet another way to raise the bar, sort of like
restricted Iframes in IE.  And although I haven't seen or tested it, I'd
assume that XDomainRequest retrieves "public" data meaning cookies and
headers aren't sent with the request.  Of course that doesn't help in the
case of cookieless auth scenarios but that's another story.

Chris



-----Original Message-----
From: Mat Caughron [mailto:mat@xxxxxxxxxxxxxxxxx] 
Sent: Wednesday, July 02, 2008 12:42 PM
To: robert@xxxxxxxxxxxxx
Cc: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] several IE8 features controversial at best "Onward
to Beta-2 in August!"


Web App Security List'ers:

I'd love nothing more than to earnestly welcome Microsoft into the web 
security world, but after reading the link in Robert's post, I feel as if 
the major OWASP vulnerability classes just got hijacked by a marketing team.

Surely I'm not the only webappsec engineer here thinking that client-side 
cross site scripting mitigation is more than a little irrelevant.

Maybe "helps to mitigate"  should read "helps to obfuscate the real issues".

"And of course in addition to all of this we need to effectively counter 
all the XSS attack vectors not already addressed by other XSS-Focused 
Attack Surface Reduction measures." *

So now these experts are advocating blacklisting javascript malware on the 
client side?  Between this and Google's safe web browsing API, maybe we 
should just purchase a monthly subscription for someone else to do all 
our web browsing for us.

How does the new browser with "Social Engineering Defenses" implement HTTP
auth?

Hey, now we can all run out and buy the new extended validation SSL certs!


On the bright side, application protocol prompts is a welcome feature.

How big is the protected mode compiled code?  Anyone stepped through that 
with IDA pro yet?

Another jewel:
We've also introduced the XDomainRequest object to permit secure network 
retrieval of "public" data across domains.


Note the word public is in quotes.  Their quotes, people, not mine.

Dumbfounded, really,




Mat Caughron, CISSP
(408) 910-1266



*
http://blogs.msdn.com/ie/archive/2008/07/01/ie8-security-part-iv-the-xss-fil
ter.aspx




On Wed, 2 Jul 2008 robert@xxxxxxxxxxxxx wrote:
>
> IE8 Security Part V: Comprehensive Protection
>
http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensiv
e-protection.aspx
>
> Some good stuff coming.
>
> - Robert
> http://www.webappsec.org/
> http://www.qasec.com/
> http://www.cgisecurity.com/
>
>
----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA