No Cookies for You! Internet Explorer Service Pack Helps Thwart Cross-Site Script Attacks

REDMOND, Wash., Oct. 23, 2002 — Internet security issues just got a little easier for developers to deal with.

A paper released today by Microsoft security expert Michael Howard, author of Writing Secure Code, discusses how Microsoft Internet Explorer 6.0 Service Pack 1 provides a new way to prevent hackers from using cross-site scripting to access cookie files on a user’s desktop, one of the more common ways hackers break into computer systems.

Internet Explorer 6.0 Service Pack 1 is available in Windows XP Service Pack 1 and at the Microsoft Windows Update Web site.

“Cross-site scripting is a common, industry-wide issue, and hackers use it in myriad ways to gain access to systems,” says Michael Howard, a Security Program Manager at Microsoft. “Not all hackers go after cookie data, but many do. Making cookies inaccessible to scripts goes a long way toward helping mitigate this security risk.”

Here’s how it typically works:

A hackers who wants to penetrate a secured computer or system creates small Web applications or “scripts” designed to cull malicious data from his or her target. The hacker then must get the script to run within the target environment, beyond the security protocols of the system’s firewall. This is often accomplished by enticing a user to click on a link from an e-mail or on a Web site, which then covertly activates the script. After clicking on the link, the user’s browser not only returns the Web page requested, but also a host of other information the script file asks for. Once set in motion, these scripts are able to run on a single computer or network, and collect data that was otherwise secured.

Cookies — small files that Web browsers use to store potentially sensitive user information, including passwords and user IDs — are often the source of such attacks, because the user information stored on them can often help a hacker gain access to an individual’s computer, the data it holds, and whatever networks the computer is connected to.

Although much of the code written today is very good at keeping these scripts at bay, there is always a risk that somehow one will get set in motion and make a computer or entire system vulnerable to attack. If you’re securing your home, you put good locks on the doors. But there’s always the potential that a door in your house may unwittingly be left unlocked. So, given that, how then do you ensure your valuables won’t get burgled?

Simple: You teach your valuables how to recognize a thief.

That is basically what Microsoft has done. In the case of cross-site scripting hacks, the thief is a script file initiated by the client. The fix in the Internet Explorer service patch allows a developer to specify that a server running a Web application or site attach a special “HttpOnly” cookie extension to all cookie files it creates for its users. The extension designates cookie data as “off limits” to script files coming from the client. So when the cross-site script file says, “Hi, where do you keep your valuables?” your computer sees that it’s a thief asking, and simply answers, “Valuables, what valuables?”

The solution came from a brainstorm session with the Internet Explorer team during the recent Windows Security Push, when Microsoft Windows developers carried out an extensive review of Windows code for security issues. According to Howard, cross-site scripting, often referred to as XSS, was one of the main security issues the Windows team wanted to address because it poses such a large risk to customers.

Does introduction of the HttpOnly extension mean that developers no longer need to worry about XSS attacks?

“Absolutely not,” says Howard. “The HttpOnly cookie extensions definitely mitigate part of the problem, but there are many ways that XSS can be used maliciously, and there’s no substitute for writing solid, secure code.”

“This isn’t a cure, it’s an insurance policy,” adds Howard.

Developers can find more information about the HttpOnly cookie extensions by reading the article Howard wrote for MSDN , the Microsoft Developer Network. The service pack is available from the Windows Update Web site .

Related Posts