Security Now 293

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 293

Security Now 293: IE9

IE 9 What's Changed, What's New, What it Means, and Does it Matter

Security Updates

Adobe Reader, Acrobat & Flash / Monday, March 21st

IE8 … Remember: It was Pwn2Own using three UNDISCLOSED but still unpatched vulnerabilities.

  • <tick, tock, tick tock>

Security News

RSA Security "Deeply Penetrated" …

  • … by an extremely sophisticated cyber attack ... (because you wouldn't want it to be that someone there simply opened a bad PDF document!)
  • "May have compromised the security of RSA SecurID two-factor authentication products. In an attack preliminarily identified as an Advanced Persistent Threat, digital information relating to SecurID tokens was stolen from RSA systems. The company is contacting customers to let them know of the breach and to offer suggestions for "strengthen[ing] their SecurID implementations."
  • SANS Institute, in reporting on this story, mentioned that 40 million SecurID tokens have been deployed, which are often used to conduct financial transactions and at government agencies.

Meanwhile... RIM:

  • Research in Motion is urging users to disable JavaScript in the devices' browser to protect them from attacks that exploit a flaw disclosed at a recent hacking contest. The flaw affects the WebKit browser engine in BlackBerry Device Software version 6.0 and later and could be exploited to allow remote code execution. The flaw is not in JavaScript, but JavaScript is necessary to exploit the flaw.

India vs Blackberry back in the news

  • RIM quoted as saying "Holy Smokes!"
  • According to Robert Crow, Blackberry VP of Industry and Government Relations, India's Home Ministry, which is responsible for domestic security has informed Blackberry that it will require the ability to intercept communication data sent via the email capabilities of the handset.
  • According to Crow these demands could potentially open up the doors to further problems, such as whether the government tracking of ambassadorial conversations or even transfer of financial files would be off limits.
  • "You connect those dots and you're saying, 'Holy smokes,' " said Crow.

UK ISPs to clarify their bandwidth shaping policies:

  • BT, Virgin Media, Sky and others have signed a voluntary code of practice saying they will provide consumers with clear "traffic managment" policy information explaining when Internet connection speeds are throttles, why they are, and what effect the throttling will likely have on consumers' broadband service. The disclosures will also state whether the provider has arrangements with specific content providers to prioritize their traffic.


Good Morning America ~ Firesheep Downloads: 1,334,???

via Twitter: @BioTurboNick said: "Just found a bunch of Trojans via a MSSE Full Scan that weren't found by the Quick Scan. The shocker? They were all Java related."

Tweetdeck for Chrome! (Thanks @GrandFatherB)

Firefox *has* toolbar buttons! MANY thanks to everyone!

Shatner just turned 80 on Tuesday, March 22nd.

Interesting piece about NTY's going pay, the DMCA, and NoScript

Fukushima URL of the week:

  • Fabulous PDF charts showing the detailed status of all SIX reactors and pools

Apple suing Amazon over infringement of "App Store" trademark!!

  • Hello It is an interesting case. Apple based its US application for the mark APP STORE on a foreign registration from Trinidad (likely hoping to go under the radar as opposed to filing directly like normal). It had the opposite effect. Apple's application was refused registration based on descriptiveness but overcame the refusal by arguing acquired distinctiveness (basically that it was descriptive but now due to Apple's marketing and notoriety consumers know the App Store emanates from Apple). USPTO bought the argument but Microsoft is now opposing the registration of the application. I believe Amazon saw Microsoft's argument and thought let's ride Microsoft's coattail. This is one of the really interesting cases between folks with plenty of resources. This will be played out on many levels and a lot of fun for us with no interest in the case.


David W. Roscoe

Topic: IE 9 What's Changed, What's New, What it Means, and Does it Matter


  • State of the art Browser
  • Two years in the making - immediately after IE8
  • Significantly: NO WinXP support - still a strong global XP installed base.
  • Great news for developers: Massive Standards Improvement:
    • Improved support for CSS 3 and SVG
    • Acid3 scrore 95/100 (IE8 was 20/100) ■ FFv3 = 94. IE8 just collapses totally and fails ■
    • A new JavaScript engine called "Chakra."
    • Uses JIT engine to execute JavaScript as native code.
    • HTML5 audio & video
    • Extensive use of DirectX hardware acceleration for text and video display
    • Support for "Canvas" (Apple's bitmap image-access) ■ Lifehacker: of Firefox, Chrome, Opera, IE: ■ IE was slowest to start up, ■ Slowest on JavaScript, but it was able to finish ■ (64-bit IE9 - not the default even on 64-bit platforms - is 4 times slower) ■ Slowest on DOM/CSS, but it was able to finish ■ Highest in memory usage
    • ECMA-262 (ES5) ■ - total tests: 10,456 ■ IE8 won't even display the test ■ FFv3: 3,661 ■ ------------------------- ■ Chrome: failed 497 ■ FFv4: failed 301 ■ IE9: 17 ■ DOM L2 & L3 Events

Tracking Protection Lists

  • In IE8, InPrivate Filtering was part of InPrivate Browsing and had to be manually enabled every time the browser was started. It could use provided XML rule files, but was also adaptive and could automatically block apparent trackers.
  • Submitted to the W3C standards body as a proposed standard "Web Tracking Protection"

  • Syntax:
    • First line must contain the string: FilterList
    • # Comments begin with pound sign (number sign)
    •  : is a "setting" with key=value pair ■ : Expires = 10 (check every 10 days for an update [1-30 valid])
    • +d domain-name [string] (URI *must* contain "string" to quality)
    • -d domain-name [string] (URI *must* contain "string" to quality)
    • - string (with optional "*" wild char matches 0 or more or any char)

  • Semantics:
    • Aside from the first line, line ordering does not matter
    • All allow rules are processed first and if any match, the URI is accepted
    • All block rules are processed next and if any match, the URI is dropped
    • If no rule matches, the URL is accepted
    • Therefore, allow rules take precedence over block rules.
    • If the use of multiple files is supported, then ALL allow rules are taken together first with all block rules taken afterward

    • Domain-based blocking is fine
    • But random string blocking is horrifying! (From Easylist @ adblockplus)
    • .com/ad-
    • .com/ad.
    • .com/ad/
    • .com/ad_
    • .com/adlib/
    • .com/gad/
    • .com/openx/
    • .html?ad=
    • /ad-hug.
    • /ad-letter.
    • /ad-local.
    • /ad.asp?
    • /ad.cgi?
    • /ad.jsp?
    • /ad.php?

"Do Not Track" header

  • DOM support: (document.navigator.doNotTrack == "1") returns TRUE
    • DOM support allows ready detection from client-side code
  • DNT: 1 (identical to Mozilla's proposal and
  • <quote>Websites that track users across multiple first-party websites must check for the presence of the Do Not Track user preference. If a website detects that this preference is enabled, it must disable any tracking code or collection of data that can be used for tracking purposes, regardless of the level of identification of the user</quote>
  • When the user has any Tracking Protection list enabled, the DNT: 1 request header is added to all outbound HTTP/HTTPS requests.

Malware Protection

  • A layered defense
  • "Preventing Reliable Exploitation"
    • Supports DEP/NX - enabled by default in IE8 and IE9
    • ASLR (as in IE8) helps prevent ROP (return oriented programming)
    • Safe Structured Exception Handling (SafeSEH),
    • Also supports SEHOP - Safe Exception Handling Overwrite Protection which validates the validity of the SEH chain before dispatching exceptions. ■ Per process, not just per DLL.
  • IE9 compiled with Microsoft's latest C++ compiler for better Stack Buffer Overrun detection.

SmartScreen Application Reputation

  • Reputation-based download warnings.
  • NO WARNING when downloading programs with an established reputation.
  • <quote>Based on real-world data we estimate that this new warning will be seen only 2-3 times a year for most consumers compared to today where there is a warning for every software download.</quote>
  • <quote>The key challenge with malware on the internet is that attacks are fast moving and quick to change. The importance of application reputation is as an early warning system. There is latency between the outbreak of an attack and when it is detected and blocked. Consumers today are unprotected during that time. Think of this new warning as “stranger danger” – it’s an early warning system for undetected malware. No antivirus or protection technology is perfect; it takes time to identify and block malicious sites and applications. Blocking after detection is still an important strategy, but there remains a gap between the start of an attack and when it is detected and blocked. IE9 SmartScreen application reputation fills that gap.</quote>
  • <quote>When you download a program in IE9 a file identifier and the publisher of the application (if digitally signed) are sent to a new application reputation service in the cloud. If the program has an established reputation there is no warning. If the file is downloaded from a reported malicious site, IE9 blocks the download, just like IE8 does. However, if the file does NOT have an established reputation, IE lets you know in the notification bar and download manager, enabling you to make an informed trust decision.</quote>
  • "06-FHU-ICB.exe is not commonly downloaded and could harm your computer."

User-Agent header cleaned up. (unless in IE7 compatibility view)

  • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
  • Declares Mozilla/5.0 and Trident/5.0 (layout engine) because so much more standards compliant
  • Removed all of that horrific .NET nonsense
  • No OTHER applications declaring themselves
  • A nice boost for privacy through header tracking




Production Information

  • Edited by: jason
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.