To bulletproof Internet Explorer

Sep 5, 2006 11:07 GMT  ·  By

The Redmond Company is advancing a research project of an automated framework dubbed BrowserShield that would implement an active protective strategy designed to analyze and clean dynamic HTML content on Websites, blocking the execution of malicious code. A brainchild of Helen Wang and John Dunagan of the Systems & Networking group at Microsoft Research's Redmond lab, it aims to definitively patch browser vulnerabilities by scanning the JavaScript and Visual Basic script on Websites and deliver a safe runtime equivalent.

"Today, when you surf the Web," Wang commented, "at any point, you may wander to a bad neighborhood, and when you click on a link and navigate to a malicious Web site, your computer can be compromised, your private personal information can be stolen, and your machine can be used as a zombie for a larger botnet. What are the problems with those bad links, bad neighborhoods? Some links include a bad executable download. On other occasions, a Web page is crafted especially so a particular vulnerability in your browser is exploited, and your computer can be compromised."

With BrowserShield, the Redmond Company aims to stop the tendency of using browsers as attack vectors, by providing runtime associated logic content synonym to the final result delivered by the rendering of the Web page, while intercepting embedded code prior to its execution. The actions are possible by the implementation of vulnerability filters policies that amputate malicious code designed to exploit browser flaws.

"Say there's a zero-day browser exploit," Wang added. "At a particular time, a patch might not be available. But in the meantime, we can allow users to browse through a BrowserShield-enabled toolbar. Users would then be able to type URLs into the toolbar rather than in the usual address bar. This allows all Web sites to be sanitized by the BrowserShield toolbar and enables a safe browsing experience."