Internet Explorer has a Cross Site Scripting zero-day bug by Paul Ducklin.
From the post:
Another day, another zero-day.
This time, Microsoft Internet Explorer is attracting the sort of publicity a browser doesn’t want, following the public disclosure of what’s known as a Cross-Site Scripting, or XSS, bug.
With Microsoft apparently now investigating and looking at a patch, the timing of the disclosure certainly looks to be irresponsible.
There’s no suggestion that Microsoft failed to meet any sort of deadline to get a patch out, or even that the company was contacted in advance.
Nevertheless, details of the bug have been revealed, including some proof-of-concept JavaScript showing how to abuse the hole.
So, what is XSS, and what does this mean for security?
…
The bug violates the same origin policy (SOP) which Wikipedia describes as:
This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on the client side to prevent the loss of data confidentiality or integrity.
While phrased in terms of “security,” take note that this includes content from other sites as well. As one post I read on to the topic suggested that content can be intermingled, but that isn’t the same as manipulation of content from another source.
If you think of SOP as preventing programmatic, creative and imaginative re-use of content from other sites, suddenly it sounds a lot less like a feature doesn’t it?
Only if you follow the “cookie, cookie, me want cookie” philosophy of browser interaction is SOP even necessary. Once I authenticate to a remote site, if state is maintained at all it could be maintained on the server side. Rendering SOP, how did Eve in the The Diaries of Adam and Eve put it?, ah, superfluous.
Curious how security became intertwined with the desire of content owners to prevent re-use of content. That doesn’t sound like a neutral choice to me. Perhaps we should make another choice and evolve a different security model for web browsers.
A different security model that puts security in the hands of those best able to maintain it, that is server side. And at the same time, empower users, script writers and others to re-use any content they can load into their browsers. Imagine the range of services and capabilities that would add!
Better security, better access to content from any site. Sounds like a win-win to me. You?
In the meantime, thinks with IE may not be as grim as reported. Sean Michael Kerner reports in: Researcher Discloses Potential Internet Explorer XSS Zero-Day Flaw, that Microsoft has known about the bug since October 13, 2014 and doesn’t seem to be all that excited about it.
I make that to be 115 days, including February 4, 2015, so zero-day + 115 days. Rather long in the tooth for a zero-day bug I would say. 😉 You do know that “zero-day” doesn’t mean the day you read about it. Yes?
The bug was reported on the Full Disclosure list, for which neither of the posts cited gave a URL.
PS: Is anyone working on a fork of JavaScript that enables cross site scripting by design? The advantages for content re-use would be enormous. Users in charge of content on their own screens. What a concept.