ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Security gone awry: IE 8 XSS filter exposes sites to XSS attacks

By | April 19, 2010, 11:45am PDT

Summary: The cross-site scripting filter that ships with Microsoft’s Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat.

[ UPDATE: Microsoft plans to ship an XSS filter update in June 2010 to fix what is hopefully the last attack scenario ]

The cross-site scripting filter that ships with Microsoft’s Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat.

According to a presentation at this year’s Black Hat Europe conference, the issue introduces security problems at several high-profile websites, including Microsoft’s own Bing.com (screenshot), Google.com, Wikipedia.org, Twitter.com (screenshot) and just about any site that lets IE 8 users create profiles.

[ SEE: Anti-malware blocker, XSS protections coming in IE 8 ]

follow Ryan Naraine on twitter

Microsoft added the anti-XSS feature in IE 8 last August to detect Type-1 (reflection) attacks that can lead to cookie theft, keystroke logging, Web site defacement and credentials theft.  However, as the researchers discovered, Microsoft’s filters work by scanning outbound requests for string that may be malicious.

This is where the hiccup exists:

When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server’s response then the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful.

The exact method used to alter a server’s response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized then a malicious script may stil execute. On the other hand, it is also crucial that benign requests are not accidentally detected.

The researchers figured out a way to use the IE 8’s altered response to conduct simple abuses and universal cross-site scripting attacks.

[ SEE: Apache.org hit by targeted XSS attack, passwords compromised ]

This document (PDF) explains the scope of the problem and provides some demonstrations.

Jerry Bryant, a spokesman for Microsoft’s security response team, said the bulk of the problems described in the document was fixed with the MS10-002 security patch, which was released for IE users earlier this year.

“Microsoft also added a defense-in-depth change (MS10-018) in March 2010 to provide broader coverage for this type of attack scenario,” Bryant said.

However, not all of the issues have been fixed and the browser’s XSS filter is still introducing security risks on certain web sites.

End users running IE 8 should consider disabling the filters from within the browser until a comprehensive patch is shipped.

UPDATE: Microsoft’s Bryant e-mailed to point to this August 2008 blog post that provides some additional context on this issue.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security Technology, XSS, Microsoft Internet Explorer, Attack, Web Browsers, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

57
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Security gone awry: IE 8 XSS filter exposes sites to XSS attacks
efsane Updated - 9th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat
View in thread
0 Votes
+ -
Security gone awry: IE 8 XSS filter exposes sites to XSS attacks
Loverock Davidson 19th Apr 2010
Most of these issues have already been patched, those that haven't can do work arounds. Sorry malicious people, no cookie for you today. Chance of effectively pulling this off has been mitigated to somewhere between zero and nil.
0 Votes
+ -
Loverock why is it you always poo-poo anything that effects M$ products?
SoYouSaid 19th Apr 2010
If they're such none issues as you clain, why is the ZDNet community reporting them to the contrary? Either you or they are full of you know what....or they are........which is it ?............
0 Votes
+ -
RE: ...why is it you always poo-poo anything that effects M$ products?
fatman65535 20th Apr 2010
The answer is:

Because Steve Ballmer personally signs LD's paycheck!!!!

I mean, did you not know that LD works at the FUD department at M$!!!
0 Votes
+ -
Have been mitigated?
Mr. Byte 19th Apr 2010
"However, not all of the issues have been fixed and the browser?s XSS filter is still introducing security risks on certain web sites."

That doesn't sound like "most" and even less "mitigated to somewhere between zero and nil"

As usual, you downplay all M$ related issues to a no-problemo situation.
0 Votes
+ -
MS Apologist lives his past...
Agnostic_OS 20th Apr 2010
When a worm was found to affect Linux Servers you said...

"And as expected, the downplay of the seriousness of the vulnerability by dragging something completely nonrelated into it to compare to. Then make the feeble attempt to make it look better when in actuallity its more inferior.
Posted by: Loverock Davidson Posted on: 11/08/05 "
0 Votes
+ -
Are you new here?
AzuMao 20th Apr 2010
Here's on our side. His posts are entirely sarcastic.

Nobody could actually be that retarded, it's not possible.
0 Votes
+ -
Are you sure?
ubiquitous one 20th Apr 2010
wink
0 Votes
+ -
Embarrassing...
honeymonster 19th Apr 2010
In a security feature, no less. Someone@microsoft have
some 'splaining to do. Ugh
0 Votes
+ -
Next we'll find out that
John Zern 19th Apr 2010
the security team writes their combonations on the back of their locks happy
0 Votes
+ -
What? You mean IE8 security failed?
ubiquitous one 20th Apr 2010
lol... grin

And here I thought you said it was as safe as sliced bread.

grin
0 Votes
+ -
RE: Security gone awry: IE 8 XSS filter exposes sites to XSS attacks
eatredmeatfeelgood@... 19th Apr 2010
is disabling filter still best option? there are still a LOT of attacks this is preventing.
0 Votes
+ -
The best option
Greenknight_z 20th Apr 2010
No, the best option is to use Firefox with the NoScript add-on, which blocks XSS attacks without creating new vulnerabilities. Not an option everyone can use, unfortunately.
0 Votes
+ -
Oh the irony...
storm14k 19th Apr 2010
I guess the more we try to add security features to
software the bigger we make the footprint that must be
protected in the first place.
0 Votes
+ -
Bloat serves only to increase the body area exposed to attack
Great Kahuna 19th Apr 2010
Everyone knows that. Everyone but M$, of course, they appear to have a crush on bloat, that's their way of showing how hard they try, they use bloat as cover up for their lack of technical talent.
0 Votes
+ -
Whatever you say, Dietrich. (nt)
John Zern 19th Apr 2010
];)
  • Flagged
0 Votes
+ -
You misspelled my name, there must be something wrong with your keyboard.
Great Kahuna 19th Apr 2010
Or is it your neurons? (I mean both of them.)
0 Votes
+ -
Unavoidable
Cayble 19th Apr 2010
Plain and simply; the public have spoken, get used to it. What the public says is that despite the ABM crowds assertions that Windows collapses and locks up and gets infected on every installation numerous times daily, the public says WRONG.

In fact it doesn't happen often enough to be a significant bother for the hundreds of millions of users world wide but what is important to Mr. & Ms. Joe and Josephine average is that they want what Windows has and if that means bloat then bloat it shall be and MS just has to find ways to mitigate the damage so to speak.

Its unavoidable so get used to it. Its what the world wants and what the world demands. Like it or not, Windows runs the world.
0 Votes
+ -
The public doesn't say a thing at all
NickNielsen 20th Apr 2010
because the public doesn't have a clue.

Mr. & Ms. Joe and Josephine Average not only don't know there's an alternative to Windows, they don't even know the difference between hardware and software. All they want is to click this to check their email and click that to browse the web.
0 Votes
+ -
Why don't you go and tell them about your favorite...
windozefreak 20th Apr 2010
os and stop spamming this thread. Us winsheep want to discuss what's going on so wwe can seek more instability. Get it??
  • Flagged
0 Votes
+ -
I'm sure you do
ubiquitous one 20th Apr 2010
Swiss cheese (security) tastes good on rye, doesn't it. Huh...
0 Votes
+ -
Any more practical mitigations?
s_southern 19th Apr 2010
Disabling the filter would likely cause more problems than it resolves. Are there any other mitigation options that are easily deployed, or is the solution to wait until there's a patch and hope nothing bad happens? (not exactly a comfortable option!)
0 Votes
+ -
1.
jdbukis@... 19th Apr 2010
Run as a standard user and at the very least scripts executing will run as such.
This is applicable t pretty much everything though not just IE8.
0 Votes
+ -
Can't standard user privileges be used to trash all of the user's data?
AzuMao 19th Apr 2010
A better solution is to not use a browser when it has known unpatched vulnerabilities in it, like IE8 currently does.
0 Votes
+ -
delete
AzuMao Updated - 20th Apr 2010
edit:

Come on mods, if you're going to delete the
message I replied to, please delete mine too. Now
it looks like I'm talking to myself. sad
0 Votes
+ -
Fresh from the press: Conficker network largest cloud provider in the world
Great Kahuna 19th Apr 2010
http://www.readwriteweb.com/cloud/2010/04/the-largest-cloud-in-the-world.php

Google comes in a very distant second with less than one tenth the resources of the conficker network followed by amazon with less than 40 times smaller than conficker.

Read about it and weep.
0 Votes
+ -
Windows IS secure....just remove it from the internet.
TonyOz 19th Apr 2010
Ah...Windows.......the malware incubator.....Love it. But by all means, blindly stay with an expensive way to have a mental breakdown - Windows - and enjoy the results. It won't happen today, tomorrow, or next week.....probably.....Now go on, attack this comment, shred it, prove it utterly wrong. Great, well done.....but I shall keep on watching similar reports about Windows security appear again, and again........they will appear.
0 Votes
+ -
Wrong.
AzuMao 19th Apr 2010
Removing it from the Internet isn't enough.

Remember to also destroy all Bluetooth, FireWire, USB, IDE, SATA, and SCSI ports, if you want to prevent it being infected.
0 Votes
+ -
Hmm...
statuskwo5 19th Apr 2010
You missed the train. I believe the article is
about IE being exploited, not Windows itself.
0 Votes
+ -
Hmm...this is why I just love Windows users
TonyOz 19th Apr 2010
Of course it is IE8, but what is it running on ? Who makes the IE8 software ? There will be a multitude of excuses you can put forward, but ultimately, the buck stops in Redmond.......and their software that is almost continuously shown to be defective in a variety of ways. IE8 is this week's flavour....I wonder what it will be next week, and the week after, and the week after. The lovely thing is that it is always something different ~ there are so many places to attack Windows software.
0 Votes
+ -
Glad to see you love the vast majority
tonymcs@... 19th Apr 2010
Unfortunately I don't think much of cheapskates running toy operating systems and pretending they're coping.

All software has bugs, what matters is whether they fix it or simply use spin like Apple and Linux with their almost invisible number of users.

wink
  • Flagged
0 Votes
+ -
See what I mean tonymcs.....you're the perfect example
TonyOz Updated - 19th Apr 2010
As soon as somebody even suggests there are flaws in Windows.....attack the messenger, and if possible, personally.......All software has bugs, agreed. It is purely that Windows has more than most. And please, *dont* give me that guff about the reason for more security problems on Windows is because there are more Windows boxes.......

Dude, about 70% of the internet runs on those toy operating systems; the reason you and I can communicate is because of those "toy operating systems"; the world's stock exchanges are all either running on or moving to those toy operating systems because they are faster, cheaper, more stable and more secure; NASA uses it for the same reasons, and Google (you know ? The world's largest and best search engine ? Know it ?), well, it runs completely on those "toy operating systems" and for precisely those reasons again.......as do many tvs, mobiles, car computers, etc. IBM has invested billions into those "toy operating systems" because that American company sees that the future lies with them.

Puh-lease, think first before using that label of "toy operating systems" ever again.
0 Votes
+ -
Other reasons
Earthling2 19th Apr 2010
Dude, about 70% of the internet runs on those toy operating systems; the reason you and I can communicate is because of those "toy operating systems"

These systems are the reason the users get malware so easily.

WordPress blogs hacked, redirecting to malware
http://blogs.zdnet.com/security/?p=6111

Apache.org hit by targeted XSS attack, passwords compromised
http://blogs.zdnet.com/security/?p=6123

Inside the Java 0-Day Exploit
http://threatpost.com/en_us/blogs/inside-java-0-day-exploit-041610

Network Solutions' Customers Hacked Again
http://threatpost.com/en_us/blogs/network-solutions-customers-hacked-again-041910

Well, you can't blame the OS for that can you?

Here is a brilliant response from one of the previous talkbacks, you can't beat that:

Apache servers have been passing on malware to Windoze clients for years without themselves being directly affected.

Priceless.
0 Votes
+ -
@earthling2.....thanks for making my case.
TonyOz Updated - 19th Apr 2010
Look at what you have written. You are arguing from a completely false premise. Those Apache systems are NOT the reason Windows boxes get infected so easily. The Apache servers almost always don't get infected unless there is a very unusual set of circumstances which has happened right now. And note too that is is a piece of specially crafted Microsoft software designed prevent infections that has done this.

Generally speaking earthling2, those internet systems running Linux, Solaris etc. are remarkably robust. Of course they will pass on Windows viruses.....to them it is just another binary package passing through, not malware. What's your gripe ? Are you saying that the servers should get infected by that malware just because your Windows box does when it receives it ? Shouldn't you REALLY be asking: Why **don't** the Apache/Linux servers get the malware they are processing and passing through the net, but my Windows box does ?? Hmmmmmmmm ??????

The Java day exploit as far as I know is not directly linked to the "toy operating systems". But I may be wrong.

The XSS attack is directly attributable to faulty Microsoft software.....By now, I will bet there is already an Apache patch to block its effects.....If you run Windows software, wait till Tuesday next month.

By the way, many Linux users run antiviral software deliberately designed to catch Windows viruses. This is NOT because the Linux computers need the antiviral software, instead, it is a courtesy extended to the internet, designed to sweep up at least a little of the malware garbage constantly being poured out by Windows computers. And that is a solid fact. It is very difficult to make a Linux virus that will actually self propagate......You can make a Linux virus, but you cannot make it spread. I leave it to you to find out why.....if you are interested.
0 Votes
+ -
He was quoting me
ubiquitous one 20th Apr 2010
And thanks for making my case for me.

The reaction from Earthling2 is typically NBMer.

And note too that is is a piece of specially crafted Microsoft software designed prevent infections that has done this.

And note too that he doesn't want to talk about IE8's XSS scripting attack. It's too painful.

silly
0 Votes
+ -
Well that settles that.
AzuMao 20th Apr 2010
If it's possible to use a script in a cross-platform scripting language running
on a cross-platform webserver to send somebody a file that your OS won't even
execute, it means your OS sucks, okay.. that makes sense.. *backs away slowly*
0 Votes
+ -
Here's another...
bckerr 20th Apr 2010
person making up numbers. Learn to research and stop making stuff up.

Installed base of server operating systems, world wide 2003-1010 (thousands)

2003 2004 2005 2006 2007 2008 2009 2010
Windows Server 12.126 14.169 16.420 18.872 21.495 24.371 27.496 30.910
Linux (bought) 2.741 2.915 3.177 3.842 4.332 4.991 5.780 6.667
Unix 3.494 3.383 3.243 3.161 3.104 3.078 3.063 3.091
Novell 3.427 2.857 2.380 1.963 1.588 1.244 920 620
Other 876 615 446 325 266 236 222 221
Total 22.666 23.938 25.665 28.153 30.785 33.920 37.481 41.510

Source: http://www.comon.dk/index.php/news/show/id=30455

Source: http://digi.no/php/art.php?id=210048
0 Votes
+ -
Absolutely incredible.
AzuMao 20th Apr 2010
I never would have imagined that one could leap from an HTTP 500 Internal Server
Error, and a Norwegian page from half a decade ago that says nothing other than
that 21% of Windows users use Windows 95/98/ME, to.. server OS share.

Even Frogger can't make that huge of a leap. silly
0 Votes
+ -
Get it together
ubiquitous one 20th Apr 2010
Let's see, that looks like a bunch of useless numbers in a line followed by a link that gives me an "Internal 500 server error" followed by a website that's in some strange Nordic language that I don't read.

Good job, pal! :P
0 Votes
+ -
Chrome (and Firefox, with gTranslate) can turn the page into English
AzuMao Updated - 21st Apr 2010
0 Votes
+ -
AzuMao Updated - 21st Apr 2010
Double posted, sorry.
0 Votes
+ -
Yeah but I don't use Chrome
ubiquitous one 21st Apr 2010
So who cares...
0 Votes
+ -
Tell that to the US Air Force and NASA. Then get back to me.
AzuMao 20th Apr 2010
0 Votes
+ -
You should pay Microsoft...
windozefreak 20th Apr 2010
because if their os was not so bad, you would have nothing to sneer about on all of the windows related threads. How does it feel to crawl out of the basement??
0 Votes
+ -
Nonsense!
AzuMao 20th Apr 2010
They'll always be the Vim vs Emacs war to participate in.
0 Votes
+ -
What is the scope of the fallout?
Scrubinski 19th Apr 2010
If you visit an infected site (I noticed www.signonsandiego.com had an ad that seemed to launch a scripting attack as above), does this allow arbitrary code execution on the visiting client? Or does it just expose them to keylogging and similar problems while they are still on the page with the attack code?
0 Votes
+ -
The scope is ...
garethmcc 20th Apr 2010
.. that websites that had their own security
mechanisms to protect against what the XSS filter
is supposed to protect against can now be bypassed
so web sites that were built correctly to be
secure can be hacked.
0 Votes
+ -
Simple reason why this happened
garethmcc 20th Apr 2010
M$ only have paid for developers, probably a team of
about 50 - 100 working on code for one of the least
feature-rich and most buggy browsers out there as
opposed to the 100's of thousands of pairs of eyes that
look at code for Firefox and even Chrome. Open source
will always be more secure than proprietary for this
reason. You cannot fix security with a small group of
people doing it for a pay check competing against a
massive community of people doing it out of passion!
This has been proven correct over and over and over
again with constant reports of security bugs found
everywhere in all of M$'s products, from OS, to web to
productivity like Office.
0 Votes
+ -
RE: Security gone awry: IE 8 XSS filter exposes sites to XSS attacks
thornmaker 20th Apr 2010
Did you even bother to review our slides (http://p42.us/ie8xss/IE8%20Filters.ppt)?!?

On slides 64-68 we clearly suggest mitigations. On slide 65 we directly address whether users should disable the filters to which our answer is "NO!". Leave the filters on, the benefits out way any risks, at this point in time.

-thornmaker
0 Votes
+ -
It takes real talent
NickNielsen 20th Apr 2010
to write software that actually opens the hole it's supposed to be closing.
0 Votes
+ -
RE: Security gone awry: IE 8 XSS filter exposes sites to XSS attacks
efsane Updated - 9th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix