New Breed of Threats Cooking for IE8 and Firefox 3.0

The next versions of the open source Firefox and the proprietary Internet Explorer browsers are set to bring to the table support for new web standards, with part of the focus being grabbed by HTML 5. Both Internet Explorer 8 and Firefox 3.0 will be designed to play well with HTML 5, and in this context, security company Sophos warned that users would become exposed to new risks. This because the new features, introduced by HTML 5 and supported by IE8 and Firefox 3.0, will signal the start of a new breed of threats that will be tailored on the next iterations of the two browsers. Sophos pointed out that the provision for client-side storage will appeal to attackers in particular.

"Historically something of a bugbear, data storage on the client gets some attention in HTML 5. Simple, structured data can now be stored using sessionStorage and localStorage attributes. Only pages from the same origin, in the same window can access sessionStorage data, whereas localStorage data is designed to be accessed across windows, and between sessions (with the same. For those interested in user-tracking, these new storage attributes are attractive. The specification does include a discussion of steps browsers could take in order to help prevent user-tracking, but it is likely we will see targeted marketing taking advantage of this feature," revealed Fraser Howard, Sophos principal virus researcher.

Howard did in fact pinpoint client-side data storage as a very appealing target for the new attacks that will follow the availability of Internet Explorer 8 and Firefox 3.0. Sophos predicts that HTML 5 will bring to the table client-side SQL injection attacks, because of the SQL database local data storage capabilities. Firefox 3.0 is expected to drop by mid 2008. The release date for IE8 was not announced, but Beta 2 is also planned for the summer of this year.

"Increased provision for client-side storage is likely to have a large impact upon web applications that we use (in particular facilitating their offline use). However, the technologies may in turn significantly broaden the scope for attackers. As ever, users will be reliant upon the browsers to implement the specifications correctly, consistently and with security in mind. One thing is for sure, the attackers will already be investing energy into how some of the new features could be exploited," Howard added.

Download Firefox 3.0 Beta 4 / 2.0.0.12 from here and IE8 Beta 1 from here.