Security gone awry: IE 8 XSS filter exposes sites to XSS attacks

Security gone awry: IE 8 XSS filter exposes sites to XSS attacks

Summary: The cross-site scripting filter that ships with Microsoft's Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat.

SHARE:
57

[ UPDATE: Microsoft plans to ship an XSS filter update in June 2010 to fix what is hopefully the last attack scenario ]

The cross-site scripting filter that ships with Microsoft's Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat.

According to a presentation at this year's Black Hat Europe conference, the issue introduces security problems at several high-profile websites, including Microsoft's own Bing.com (screenshot), Google.com, Wikipedia.org, Twitter.com (screenshot) and just about any site that lets IE 8 users create profiles.

[ SEE: Anti-malware blocker, XSS protections coming in IE 8 ]

follow Ryan Naraine on twitter

Microsoft added the anti-XSS feature in IE 8 last August to detect Type-1 (reflection) attacks that can lead to cookie theft, keystroke logging, Web site defacement and credentials theft.  However, as the researchers discovered, Microsoft's filters work by scanning outbound requests for string that may be malicious.

This is where the hiccup exists:

When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server's response then the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful.

The exact method used to alter a server's response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized then a malicious script may stil execute. On the other hand, it is also crucial that benign requests are not accidentally detected.

The researchers figured out a way to use the IE 8's altered response to conduct simple abuses and universal cross-site scripting attacks.

[ SEE: Apache.org hit by targeted XSS attack, passwords compromised ]

This document (PDF) explains the scope of the problem and provides some demonstrations.

Jerry Bryant, a spokesman for Microsoft's security response team, said the bulk of the problems described in the document was fixed with the MS10-002 security patch, which was released for IE users earlier this year.

"Microsoft also added a defense-in-depth change (MS10-018) in March 2010 to provide broader coverage for this type of attack scenario," Bryant said.

However, not all of the issues have been fixed and the browser's XSS filter is still introducing security risks on certain web sites.

End users running IE 8 should consider disabling the filters from within the browser until a comprehensive patch is shipped.

UPDATE: Microsoft's Bryant e-mailed to point to this August 2008 blog post that provides some additional context on this issue.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

57 comments
Log in or register to join the discussion
  • Security gone awry: IE 8 XSS filter exposes sites to XSS attacks

    Most of these issues have already been patched, those that haven't can do work arounds. Sorry malicious people, no cookie for you today. Chance of effectively pulling this off has been mitigated to somewhere between zero and nil.
    Loverock Davidson
    • Loverock why is it you always poo-poo anything that effects M$ products?

      If they're such none issues as you clain, why is the ZDNet community reporting them to the contrary? Either you or they are full of you know what....or they are........which is it ?............
      Over and Out
      • RE: ...why is it you always poo-poo anything that effects M$ products?

        The answer is:

        [b]Because [u]Steve Ballmer[/u] personally signs LD's paycheck!!!![/b]

        I mean, did you not know that LD works at the [b]FUD department[/b] at M$!!!
        fatman65535
    • Have been mitigated?

      "However, not all of the issues have been fixed and the browser?s XSS filter is still introducing security risks on certain web sites."

      That doesn't sound like "most" and even less "mitigated to somewhere between zero and nil"

      As usual, you downplay all M$ related issues to a no-problemo situation.
      Mr. Byte
    • MS Apologist lives his past...

      When a worm was found to affect Linux Servers you said...

      "And as expected, the downplay of the seriousness of the vulnerability by dragging something completely nonrelated into it to compare to. Then make the feeble attempt to make it look better when in actuallity its more inferior.
      Posted by: Loverock Davidson Posted on: 11/08/05 "
      Agnostic_OS
      • Are you new here?

        Here's on our side. His posts are entirely sarcastic.

        Nobody could actually be that retarded, it's not possible.
        AzuMao
        • Are you sure?

          ;)
          ubiquitous one
  • Embarrassing...

    In a security feature, no less. Someone@microsoft have
    some 'splaining to do. Ugh
    honeymonster
    • Next we'll find out that

      the security team writes their combonations on the back of their locks :)
      John Zern
    • What? You mean IE8 security failed?

      lol... :D

      And here I thought you said it was as safe as sliced bread.

      :D
      ubiquitous one
  • RE: Security gone awry: IE 8 XSS filter exposes sites to XSS attacks

    is disabling filter still best option? there are still a LOT of attacks this is preventing.
    eatredmeatfeelgood@...
    • The best option

      No, the best option is to use Firefox with the NoScript add-on, which blocks XSS attacks without creating new vulnerabilities. Not an option everyone can use, unfortunately.
      Greenknight_z
  • Oh the irony...

    I guess the more we try to add security features to
    software the bigger we make the footprint that must be
    protected in the first place.
    storm14k
    • Bloat serves only to increase the body area exposed to attack

      Everyone knows that. Everyone but M$, of course, they appear to have a crush on bloat, that's their way of showing how hard they try, they use bloat as cover up for their lack of technical talent.
      Great Kahuna
      • Whatever you say, Dietrich. (nt)

        ];)
        John Zern
        • You misspelled my name, there must be something wrong with your keyboard.

          Or is it your neurons? (I mean both of them.)
          Great Kahuna
      • Unavoidable

        Plain and simply; the public have spoken, get used to it. What the public says is that despite the ABM crowds assertions that Windows collapses and locks up and gets infected on every installation numerous times daily, the public says WRONG.

        In fact it doesn't happen often enough to be a significant bother for the hundreds of millions of users world wide but what is important to Mr. & Ms. Joe and Josephine average is that they want what Windows has and if that means bloat then bloat it shall be and MS just has to find ways to mitigate the damage so to speak.

        Its unavoidable so get used to it. Its what the world wants and what the world demands. Like it or not, Windows runs the world.
        Cayble
        • The public doesn't say a thing at all

          because the public doesn't have a clue.

          Mr. & Ms. Joe and Josephine Average not only don't know there's an alternative to Windows, they don't even know the difference between hardware and software. All they want is to click this to check their email and click that to browse the web.
          NickNielsen
          • Why don't you go and tell them about your favorite...

            os and stop spamming this thread. Us winsheep want to discuss what's going on so wwe can seek more instability. Get it??
            eargasm
          • I'm sure you do

            Swiss cheese (security) tastes good on rye, doesn't it. Huh...
            ubiquitous one