Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| URLs in Internet Explorer 7
from
»blogs.msdn.com/ie/archive/2005/0···006.aspx
"..
Internet Explorer 7 includes a new URL handling architecture known internally as CURI. The new optimized URI functions provide more secure and consistent parsing of URIs to reduce attack surface and mitigate the threat of malicious URIs.
When designing our security strategy for IE7, malicious URIs were near the top of the list because secure handling of URIs throughout IE is critical to the security of the system. Hence, a major architectural investment was made in CURI for IE7.
Unlike most of the new features in IE7, most end users will never notice CURI working “under the hood” on their behalf. For the technical readers in the audience, however, the details behind CURI may be of some interest. ...
Cudni
--
Think locally, @#!? globally!Help yourself so God can help you |
|
B
Premium,MVM
join:2000-10-28 |
Haven't read it, but let me guess -- this is just URLScan and the IIS Lockdown Tool ported to IE, right?
-- B
--
In a realm outside causality and function |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB | reply to Cudni
"reduce the attack surface" ???
It sounds like the bulk of someone's security training wasn't in IT security. |
|
inTulsa
Premium
join:2002-02-24
| reply to Cudni
quote:
CURI is a lightweight object which holds a single URI in normal form. If the CURI is constructed from a string URI, that string URI is cracked just once when the object is first constructed.
...
The CURI object is available for consumption by external callers like ActiveX controls and Browser Helper Objects; documentation will be provided on MSDN as the CURI class is finalized. It’s worth noting that even external code that does not directly consume CURI objects will benefit from the change, because Unicode string serialized out of CURI objects will be consistently normalized, decreasing the likelihood of incorrect parsing even outside of IE.
It doesn't sound like a security feature at all. They're extending the exposure of the standard old location object with a custom object. The standard URI format hasn't been a source of insecurity - IE's parsing and treatment of it has been. A better approach might be to abide by existing standards - for example, stop accepting intermediate blanks, binary codes, and other garbage in URI. It shouldn't require new object invention to fix the current parsing issues that have led to real vulnerabilities.
I don't want Unicode binary embedded in URI. That will make URL filtering much harder to accomplish. The first to take advantage will probably be advertising and pr0n sites to circumvent today's breed of filters. |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
1 edit | reply to B
This is taking the many ways of handling URLs, i.e. by clicking links, direct entry into the address bar, etc., and consolidating them into a single piece of code.
This makes it so that there are less places for bugs to hide (hence the "attack surface" comment), and I think it's a great idea. I'm very happy to see this sort of thing from Microsoft; it reinforces the fact that they're serious about security.
--
dmiessler.com - grep understanding knowledge |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to keith2468
said by keith2468  :"reduce the attack surface" ??? It sounds like the bulk of someone's security training wasn't in IT security. There is less code for handling input, and that code is being scrutinized more. That is, most definitely, a security improvement.
--
dmiessler.com - grep understanding knowledge |
|
