Microsoft Research Builds BrowserShield

Microsoft's Internet Explorer browser could soon start automatically rewriting and redisplaying content from Web sites rigged with malicious attack code.

Microsoft researchers are experimenting with an automatic code zapper for the companys Internet Explorer Web browser.

Researchers at the Redmond, Wash., company have completed work on a prototype framework called BrowserShield that promises to allow IE to intercept and remove, on the fly, malicious code hidden on Web pages, instead showing users safe equivalents of those pages.

The BrowserShield project—the brainchild of Helen Wang, a project leader in Microsoft Researchs Systems & Networking Research Group, and an outgrowth of the companys Shield initiative to block network worms—could one day even become Microsofts answer to zero-day browser exploits such as the WMF (Windows Metafile) attack that spread like wildfire in December 2005.

"This can provide another layer of security, even on unpatched browsers," Wang said in an interview with eWEEK. "If a patch isnt available, a BrowserShield-enabled tool bar can be used to clean pages hosting malicious content."

/zimages/1/28571.gifClick here to view a slide show on the new security features of Internet Explorer 7 RC1.

BrowserShield, described by Wang as a tool for deleting embedded scripts before a Web page is displayed on a browser, can inspect and clean both static and dynamic content. Dynamic content has become a popular vector for Web-borne malware attacks of late, security experts have said.

The framework could work particularly well, as it could provide a safety net, protecting many Web surfers from themselves.

Malicious hackers typically embed scripts on Web sites and then use social engineering techniques to trick unsuspecting visitors into downloading Trojans, bots, spyware programs and other harmful forms of malware.

With BrowserShield, Wang argues, many such attacks could be blocked. BrowserShield can be used as a framework that rewrites HTML pages to deny any attempt at executing harmful code on browsers.

"We basically intercept the Web page, inject our logic and transform the page that is eventually rendered on the browser," Wang said. "Were inserting our layer of code at run-time to make the Web page safe for the end user."

If the prototype is eventually folded into a Microsoft product, it could also protect against drive-by attacks that target flaws in IE, which is used by approximately 90 percent of Web surfers worldwide.

Indeed, during testing, Wangs team was able to inject HTML-rewriting logic into Web pages at an enterprise firewall. BrowserShield transparently rewrote and rendered many familiar Web sites that use JavaScript, a scripting language that can be used to run arbitrary server-provided code on a client computer.

"The framework could react in many ways to detect exploits," Wang wrote in a paper detailing the prototype tests. "Vulnerability-driven filtering should prevent all exploits (of a flaw) and should not disrupt any exploit free pages."

The research group tested BrowserShield against eight IE patches released in 2005 and found that BrowserShield—when used in tandem with standard anti-virus and HTTP filtering—would have provided the same protection as the software patches in every case, Wang wrote in a research paper.

Without BrowserShield, anti-virus software would have provided patch-equivalent protection for only one of the eight browser patches, according to Wang.

Thus, the Microsoft researchers believe the shield might even serve as an alternative to or at least an intermediary for software patches before they are made available.

/zimages/1/28571.gifMicrosofts security guru goes to Click here to read more.

BrowserShields design—its a so-called framework rather than an application feature—could also potentially allow it to be deployed outside of browsers, at the enterprise firewall-level or in servers, Wang said.

It could also include additional features. Wang said the research team built its prototype to support add-ons for securing AJAX (Asynchronous JavaScript and XML) applications and to block things such as phishing attempts.

BrowserShield is one of many security-related projects coming out of Microsoft Research.

The research units Cyber-security and Systems Management group has found success with a project called Strider HoneyMonkey that trawls the Internet looking for Web sites hosting malicious code.

Microsoft Research also has worked on a tool called Strider URL Tracer that looks for large-scale typo squatters; Strider GhostBuster, a rootkit scanner that looks for stealthy forms of malware; Strider Search Defender, a project that pinpoints search engine spammers; and Strider Gatekeeper, a spyware management utility.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.