News

Wednesday, August 27, 2008

Internet Explorer 8's New Cross-Site Scripting Protection

WIN_SECURITY UPDATE_
A Penton Media Property
August 27, 2008


If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353471-0-0-0-1-2-207

----------------------------------------
ADVERTISEMENT
Windows IT Pro

Email Archiving Implementation: Five Costly Mistakes to Avoid

This white paper will describe five key areas of email archiving
implementation, drawing upon real world examples and experiences, to
explore all the important issues that can impact total cost. In each
situation, alternatives will be presented that if adopted can help
reduce installation and maintenance costs.

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353472-0-0-0-1-2-207
----------------------------------------

IN FOCUS

--Internet Explorer 8's New Cross-Site Scripting Protection
by Mark Joseph Edwards, News Editor
As you probably know, Internet Explorer (IE) 8 is currently in beta
testing. In addition to much-needed compatibility updates to Cascading
Stylesheet (CSS) handling, the browser is gaining other new
functionality. Probably one of the most important improvements in IE 8
is its defense against cross-site scripting (XSS) attacks.

XSS is one of the most common security problems encountered in web
applications, and there are many ways to perpetrate such an attack. If
you take a quick look at the XSS Cheat Sheet over at ha.ckers.org (at
the URL below) you'll see dozens of examples, any of which could
possibly inject such an attack into a web browser depending on the
browser version. The attacks vary from putting script tags where they
might not normally be expected, to obfuscating characters using various
encoding, to appending scripts to URLs, and much more.

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353473-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353474-0-0-0-1-2-207)

IE has contained XSS protection in some fashion since about 2002, and
when IE 8 is released we'll see a much stronger XSS filtering system.
The new filtering system considerably reduces the potential attack
surface. Microsoft is achieving that by building a signature-based
detection system. Regular expressions (regex) will be used to identify
potential attacks. If potential attacks are detected, then additional
regular expressions might be generated for use in detecting further
potential attacks that might stem from variations in the web platform
code pre-processing. For example, IIS might handle encoded characters
differently than Apache or LiteSpeed web servers.

All the XSS filtering will take place inside IE's rendering engine,
which Microsoft says is the best place for the filtering to occur in
terms of performance. When attacks are detected, IE will refuse to
execute the related script code and alert the user that an attack has
been blocked. From an administrator's standpoint, you can enable or
disable the XSS filter for each of IE's security zones using Group
Policy.

Even with the improvements, IE 8's XSS won't stop all attacks. As
Microsoft security software engineer David Ross pointed out in the
company's Security Vulnerability Research & Defense blog, several
avenues of attack will still exist, such as attacks injected into HTTP
headers, etc. If you're interested in a more detailed overview of the
new filter, be sure to read Microsoft's blog post at the first URL
below. And if you want to take IE 8 for a test drive early, you can
download a copy at the second URL below.

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353475-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353476-0-0-0-1-2-207)

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353477-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353478-0-0-0-1-2-207)

Many security administrators feel that IE's approach to security is
still a bit too broad. Sure, you have four security zones in which to
control sites, which is very helpful. But that control isn't granular
enough in some cases. For example, with Firefox you can install the
NoScript add-on (available at the first URL below) and totally control
JavaScript execution on a site-by-site basis and on-the-fly with a
simple right-click context menu that can be adjusted in a matter of a
couple of seconds. Accomplishing the same thing in IE is a rather
tedious multi-click task. It'd be extremely helpful to see something
like NoScript (and Flashblock, for that matter--at the second URL below)
built into IE.

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353479-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353480-0-0-0-1-2-207)

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353481-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353482-0-0-0-1-2-207)

----------------------------------------
ADVERTISEMENT
Windows IT Pro

Leverage Exchange and SharePoint Using Hosted Services

Business decision need to be based on current and accurate data; this
means businesses have a need for a comprehensive messaging and
collaboration solution to keep everyone operating in sync. View this
on-demand web seminar to see how a business of any size can
strategically acquire the messaging and collaboration infrastructure of
a Fortune 50 enterprise with the right hosting provider.

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353483-0-0-0-1-2-207
----------------------------------------


SECURITY NEWS AND FEATURES

--PC Tools to Become Part of Symantec
Symantec intends to acquire PC Tools, maker of numerous security
solutions, and bring the company under the wing of its consumer business
unit.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353484-0-0-0-1-2-207

--Opera 9.52 Fixes 7 Security Bugs
Opera released an update for its browser that includes seven security
fixes, all of which are documented except for one.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353485-0-0-0-1-2-207

--New Precedent for Security Researchers?
A recent federal court ruling implies that the Computer Fraud and Abuse
Act (CFAA) most likely would not apply to researchers who give academic
presentations.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353486-0-0-0-1-2-207

--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353487-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353488-0-0-0-1-2-207)


GIVE AND TAKE

--SECURITY MATTERS BLOG: Red Hat and Fedora Possibly Compromised
by Mark Joseph Edwards
If you're using Red Hat Desktop or Enterprise Linux, or Fedora, then you
should probably check to ensure that you're not using compromised
packages that might have been the result of illegal access to Red Hat's
servers.

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353489-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353490-0-0-0-1-2-207)

--FAQ: Populating Credentials on Read-Only Domain Controllers
by John Savill
Q. How can I pre-populate a specific user's credentials on a read-only
domain controller (RODC)?

Find the answer at

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353491-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353492-0-0-0-1-2-207)

--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions.
Email your contributions to r2r@windowsitpro.com
(mailto:r2r@windowsitpro.com). If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


PRODUCTS

--Proactive Protection Against Internet Threats
by Lavon Peters, Security Editor
Antivirus software and data security solutions provider BitDefender
recently launched BitDefender Total Security 2009. This software
proactively protects against viruses, spyware, hackers, spam, and other
e-threats, with minimal effect on performance. Rather than relying on a
list of preexisting viruses, the product can identify and block new and
zero-day threats. In addition, BitDefender Total Security 2009 lets you
back up data online, provides a laptop mode to extend your battery life,
offers IM encryption, and enables secure local storage. For more
information, contact BitDefender at 954-776-6262 or visit
http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353493-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353494-0-0-0-1-2-207.

--McAfee-Compatible Log and Event Management
by Lavon Peters, Security Editor
LogRhythm, the log and event management product by the company of the
same name, has achieved McAfee Compatible status under the McAfee
Security Innovation Alliance (SIA) program. McAfee tested LogRhythm and
validated the software's ability to forward alert information to
McAfee's security and compliance management system, ePolicy Orchestrator
(ePO). This integrated solution enables real-time monitoring and
notification, threat detection, and incident response. For more
information, contact LogRhythm at 303-413-8745 or visit
http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353495-0-0-0-1-2-207 (http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353496-0-0-0-1-2-207.


RESOURCES AND EVENTS

Get End-to-End Visibility in Your SOA Performance

Live Web Seminar September 25, 2008, 12:00 PM EDT: Too often,
infrastructure component analysis tools diagnose in a silo and don't
provide the end-to-end visibility you need to manage SOA performance
effectively. Add in the additional cross-platform complexity of .NET and
J2EE transaction environments, and you fail to get a comprehensive view
of the entire transaction path. Mel Beckman explores the most desirable
characteristics of end-to-end SOA analysis tools to help you devise an
effective SOA management strategy.

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353497-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353498-0-0-0-1-2-207)

Beyond SSL: Learn About Extended Validation Certificates

Extended Validation (EV) certificates are a new standard in SSL
certificates designed to overcome the inconsistencies in authentication
practices that have undermined trust in SSL over the years. Read this
white paper to learn about the key improvement in the standard that
contributes to greater user trust and helps websites increase the volume
of their business by creating greater levels of trust in their user
base.

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353499-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353500-0-0-0-1-2-207)

True High Availability for SQL Server

Ensure that your critical SQL data is always safe and available. When
the silent engine behind your critical applications goes down, your
business stops running the way it needs to. SQL Server DBAs must ensure
that some form of protection is in place. This seminar provides tips on
high availability and the resources that are available for your disaster
recovery planning.

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353501-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353502-0-0-0-1-2-207)


FEATURED WHITE PAPER

Case Studies Look at Deploying Exchange on Virtual Platforms

Today's messaging environments must be highly available, disaster
tolerant, and cost efficient. Download this white paper based on real
customer experiences running Microsoft Exchange on virtual machines to
learn how to simplify disaster recovery and decrease downtime, increase
availability of applications, simplify testing, and improve provisioning
strategies. Specific use cases demonstrate advantages of deploying
Exchange on a VMware platform.

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353503-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353504-0-0-0-1-2-207)


ANNOUNCEMENTS

Master SharePoint with 3 eLearning Seminars--hosted by Windows IT Pro

Join MVPs Dan Holme and Michael Noel to learn how to build a better
SharePoint infrastructure and enable powerful collaboration. On October
1, 2008, at 11:00 AM EDT, direct from your computer, these SharePoint
gurus will guide you through three info-packed sessions: 21st Century
File Sharing: Configuring & Managing Document Libraries; Building
Code-Free SharePoint Applications and Business Intelligence Lite; and
Forms-Based Authentication and Extranet Deployment Options for
SharePoint 2007. All for only $99! Seats are limited to allow for lots
of live Q&A at the end. Register today!

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353505-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353506-0-0-0-1-2-207)

Know a Developer?

Pass on the SharePoint Mastery series, built especially for developers,
with speaker and Microsoft MVP Andrew Connell!

http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353507-0-0-0-1-2-207
(http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353508-0-0-0-1-2-207)


CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353509-0-0-0-1-2-207
http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353510-0-0-0-1-2-207

You are subscribed to this newsletter as boy.blogger@gmail.com

Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353511-0-0-0-1-2-207.

To unsubscribe:
http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353512-0-0-0-1-2-207&list_id=803&email=boy.blogger@gmail.com&message_id=12993

Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.

To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353513-0-0-0-1-2-207
About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at
http://ct.email.windowsitpro.com/rd/cts?d=33-12993-803-202-62923-1353514-0-0-0-1-2-207

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2008, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive