Wednesday, January 28, 2009

‘ClickJacking Protection’ in IE8 RC1

Have you heard. IE 8 RC1 (Release Candidate) is out now. Just like the previous release, this time also MSFT had included a new feature names ClickJacking Protection.

Lets here what Wikipedia has to say about this.

Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.

One of the most security vulnerabilities in the web-world is called Cross Site Request Forgery (CSRF). Preventing CSRF attacks is hard because there’s generally no easy fix. The browser architecture allows interaction & navigation between multiple sites simultaneously, within a page; which can be exploited by an attacker.

IE 8 Dev Team says, “ClickJacking is a term which encompasses multiple techniques that can be used to trick the user into unwittingly clicking an obscured or hidden web element, usually resulting in an unwanted transaction”. A successful ClickJacking attack could circumvent CSRF protections that attempt to confirm transactions with the user.

The simplest and most broadly-used mechanism to defeat ClickJacking attacks is called frame-busting.It works by simply preventing vulnerable pages from being framed. Since, a typical frame-busting mechanisms rely on script; it can be defeated in various ways.

The Internet Explorer 8 RC introduces a new opt-in mechanism that enables web applications to mitigate the risk of ClickJacking on vulnerable pages by declaring that those pages may not be framed.

How it works

Web developers can send a HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed. If the X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame. If the value contains the token SAMEORIGIN, IE will block rendering only if the origin of the top level-browsing-context is different than the origin of the content containing the X-FRAME-OPTIONS directive. For instance, if http://shop.example.com/confirm.asp contains a DENY directive, that page will not render in a sub-frame, no matter where the parent frame is located. In contrast, if the X-FRAME-OPTIONS directive contains the SAMEORIGIN token, the page may be framed by any page from the exact http://shop.example.com origin.

When rendering is blocked by the X-FRAME-OPTIONS policy, a local error page is presented that explains the restriction and provides a link which opens the frame in a new window. When displayed in a new window rather than a sub-frame, content is no longer subject to ClickJacking.

ClickJacking is an alternate scriptless way of performing Frame Busting. However, this technique becomes useless if the attach involves Flash applets and other kind of plug-in embeddings.

I came across a couple of articles claiming that ‘Experts’ believe this technique is not gonna lockdown the attack. But. I’m sure of one thing. At least, websites will use this Microsoft technology to prevent attacks, for their IE users.

For time being this is a good security policy. Let see what MSFT has ironing for the final release.

Good Luck, Redmondians.

Oh! forgot to say, I started using IE 8 RC1.

Reference: http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

Saturday, January 24, 2009

.NET Framework Standalone Installer Links

As the publicity for .NET Framework is increasing, most of the peoples are in search of standalone/offline .NET framework installers. Here are some of the standalone/offline download links:

a) Microsoft .NET Framework 1.0 Redistributable :-
http://www.microsoft.com/downloads/details.aspx?familyid=d7158dee-a83f-4e21-b05a-009d06457787

b)
Microsoft .NET Framework 1.1 Redistributable :-
http://www.microsoft.com/downloads/details.aspx?familyid=262D25E3-F589-4842-8157-034D1E7CF3A3

c)
Microsoft .NET Framework 2.0 Redistributable :-
x86 -> http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5
x64 -> http://www.microsoft.com/downloads/details.aspx?familyid=B44A0000-ACF8-4FA1-AFFB-40E78D788B00

d)
Microsoft .NET Framework 3.0 Redistributable :-
x86 -> http://download.microsoft.com/download/3/F/0/3F0A922C-F239-4B9B-9CB0-DF53621C57D9/dotnetfx3.exe
x64 -> http://download.microsoft.com/download/3/F/0/3F0A922C-F239-4B9B-9CB0-DF53621C57D9/dotnetfx3_x64.exe

e)
Microsoft .NET Framework 3.5 Redistributable :-
http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe


f) Microsoft .NET Framework 3.5 Service Pack 1
http://download.microsoft.com/download/2/0/e/20e90413-712f-438c-988e-fdaa79a8ac3d/dotnetfx35.exe


g) Microsoft .NET Framework 4.0 (Redistributable)
http://download.microsoft.com/download/9/5/A/95A9616B-7A37-4AF6-BC36-D6EA96C8DAAE/dotNetFx40_Full_x86_x64.exe

Wednesday, January 21, 2009

Browser War reloaded, IE-Share drops to 68%.

I'm a MSFT fan boy. I’m always curious to know how much market-share MSFT holds for its products. MSFT’s main two eye-catching products are Internet Explorer and Operating System. I keep an eye on both.

I don't know at what point MSFT got lazy or at what point they started losing the game of  Browser-War. As a nightmare, IE share is dipping and Firefox share is on its phase, covering a share of 20% (on Dec 1, 2008). IE’s share dropped to 68%. Remember, IE had a solid-share of 95%, on 2002. Suddenly, IE sunk when Mozilla hit the market with its open-source browser captioned Firefox.

MSFT has got a tough time ahead with IE8. Right now I'm using IE8 Beta 2. I'm enjoying with it. Much much better than IE7. One-way-or-another, Google is struggling with its new browser Chrome, with a market-share of 1% approx. I know its not a time to judge Chrome, since its just been launched. Chrome was released with an aim to cover IE’s market share. If so, they have to cover Safari (8%) and Firefox (20%). But, I cannot understand one thing, Google has an alliance with Mozilla, due to which they had made Google as their default search-engine. One thing is sure, Chrome is not going to cover Firefox at any point. Then one thing could happen, either Google would buy Firefox or Firefox and Chrome browser-team would work together to beat IE.

One thing is very clear now. MSFT realized the seriousness when they start losing IE share & with the rise of anti-MSFT sentiments., around the globe. IE8 is a good challenge for both Google and Mozilla. I betsmile_speedy.

On thing that always made me laugh is that Chrome won’t make a prompt when we try to close it with multiple tabs opened or downloads are in progress. I don't and cant understand why Google team missed such a silly point when making a major move. Also they have to do much work in CSS Engine. ASP.NET site was one of my favorite site, which is cluttered in Chrome. Then how can I…

 
Best viewed in Internet Explorer 8.