Microsoft to fix security hiccups in IE 8 XSS filter

Microsoft to fix security hiccups in IE 8 XSS filter

Summary: On the heels of a Black Hat EU presentation that exposed security problems with the cross-site scripting (XSS) filter in Internet Explorer 8, Microsoft plans to ship an update to the filter to fix what is hopefully the last remaining attack scenario.

SHARE:
9

On the heels of a Black Hat EU presentation that exposed security problems with the cross-site scripting (XSS) filter in Internet Explorer 8, Microsoft plans to ship an update to the filter to fix what is hopefully the last remaining attack scenario.

During the conference presentation, a pair of researchers warned that the the browser's built-in XSS filter can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat.

The researchers released demos to show that the issue introduces security problems at several high-profile sites, including Microsoft's own Bing.com, Google.com, Wikipedia.org and Twitter.com.

Security gone awry: IE 8 XSS filter exposes sites to XSS attacks ]

Microsoft shipped two separate updates recently -- MS10-002 and MS10-018 -- with defense-in-depth changes that addressed the bulk of the problems discussed at the conference and a new update is scheduled for June 2010 to fix another attack scenario.follow Ryan Naraine on twitter

David Ross from the Microsoft Security Response Center explains:

An additional update to the IE XSS Filter is currently scheduled for release in June. This change will address a SCRIPT tag attack scenario described in the Blackhat EU presentation. This issue manifests when malicious script can “break out” from within a construct that is already within an existing script block.  While the issue identified and addressed in MS10-002 was identified to exist on high-profile web sites, thus far real-world examples of the SCRIPT tag neutering attack scenario have been hard to come by.

Despite the hiccups, Ross argued that it's important to use a browser with an XSS Filter, as the benefits of protection from a large class of attacks outweigh the potential risks from vulnerabilities in most cases.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Good job Microsoft.

    Just leave this in until a few hundred thousand people have had their identity stolen. No need to hurry. Take your sweet time.
    AzuMao
    • Better still ...

      ... why not rush out a fix and hose hundreds of thousands of users' PCs should anything go wrong with the untested fix?

      Unlike most companies who have few dependents and who have relatively few customers, every single update that MS makes to its many products have to be extensively tested. VERY extensively tested. It takes several weeks, for example, for many fixes to Windows core components to complete a test run because of the enormity of the test suites they must run.

      I'd be FAR happier if MS was to thoroughly test this fix to make damn sure my machines don't get hosed than listen to your inept "advice".
      de-void-21165590650301806002836337787023
      • Ya, seriously, I think you've just hit the nail on the head there.

        Billions of dollars simply aren't enough to higher a QA team of more than 0
        people, so the CEO (who knows nothing of computers) must personally try applying
        the patches to his computer and making sure FarmVille still works right. Which
        takes a long time because it's slow. That must be it.


        Or maybe the chances of malicious hackers causing damage when they have the
        means and the motivation to is much lower than the chance of Microsoft hosing
        their own operating system by mistake.


        Either way, GO MS!!!
        AzuMao
  • RE: Microsoft to fix security hiccups in IE 8 XSS filter

    Since this particular exploit in XSS doesn't
    so much affect the user as it does the server,
    if a website is concerned about their server
    security, perhaps they should not be running
    any type of scripting on the visitors's
    browsers. No Javascript to run, no script
    injection point, problem solved. Plus, your
    visitors wouldn't have to turn scripting on
    and risk hijacking of their browsers.
    Oh, but then all those cut and paste website
    "developers" wouldn't be able to "oooohhh"
    and "aaaaahhhhh" visitors with the fancy
    popup/under ads!!!
    wizard57m-cnet
    • ????

      JavaScript isn't ran on the server. The XSS vulnerabilities introduced by
      Microsoft's attempt to plug XSS vulnerabilities can be used to make the
      browser run JavaScript code that the website hasn't told it to run.
      AzuMao
      • Where did you read that ?

        All I can find is that the filters can nullify JavaScript and render it as HTML. Please post a link so I can better understand this.
        dev/null
        • I'm not sure how to explain it more simply than "JavaScript is client-side"

          [b] [/b]
          AzuMao
        • XSS in a nutshell

          What can happen if no xss-protection is in place:

          1. User A posts a comment containing an inline script to website X. The script will do bad stuff to users who are also logged in to website Y.
          2. User B, who also has a tab open with website Y, browses to the page with the comment (on website X), and the javascript is executed by his browser.
          3. All sorts of bad things happen to user B.

          Beacuse of "3.", there are filters in place on most websites to prevent comments from containing script tags, there are rules for which pages javascript may access when loaded in a particular page, etc.

          Vulnerabilities like the ones described here allow attackers (user A in the above example) to write code that will execute anyway.

          I can recommend the wikipedia article:
          http://en.wikipedia.org/wiki/Cross-site_scripting
          Welcor
  • RE: Microsoft to fix security hiccups in IE 8 XSS filter

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">sesli sohbet</a> <a href="http://www.yuregininsesi.com">sesli chat</a>
    efsane