Home › News › Security
Security feature in IE8 exposes sites to XSS attacks
There is no definite explanation as how the flaw is exploited, but it is speculated that the attacker could use the XSS protection of Internet Explorer 8 against itself by manipulating the server's response, creating a string he knows will be substituted to a certain value and offer a way to introduce an attack into a page.
Microsoft is currently investigating the vulnerability and promised to take appropriate action, but claims they have received no reports of it being actively exploited in the wild. Other sites, such as Google, indicated they were taking the threat seriously and have taken steps to avoid being compromised.
User Comments (25)
Post a comment|
fref on November 25, 2009 12:47 PM |
Can someone explain what "XSS protection" is in Internet Explorer 8? I've never heard about that before. |
|
Adhmuz on November 25, 2009 12:49 PM |
One more reason not to use IE IMO. Why doesn't everyone just switch to something better. |
|
phantasm66 on November 25, 2009 12:51 PM |
"A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite." I'm a PC and I'm insecure as F**K! |
|
Docnoq on November 25, 2009 12:59 PM |
phantasm66 said: The fact that there's an exploit in IE8 has nothing to do with PCs as a whole. This is a problem with a specific program, not an operating system."A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite." I'm a PC and I'm insecure as F**K! Back on topic, I find the actual quote that phantasm66 pulled out of the article quite amusing. 'A protection mechanism allows exact exploit it attempts to block.' Priceless. |
|
Serag on November 25, 2009 1:07 PM |
Another reason added to the list of " ## reason's why you should convert from IE " |
|
klepto12 on November 25, 2009 1:07 PM |
Wow microsoft knows how to make them huh. everytime i see news on microsoft i laugh just a little i mean everyone knows IE is a crappy browser with tons of security problems but come on this is supposed to be a security feature to protect you and they cant even code it right. atleast they did us right with windows 7 even though we had to put up with vista. |
|
paynetrain007 on November 25, 2009 1:13 PM |
Thats why we use firefox. The only thing that worse then IE is Safari. |
|
lupinnktp on November 25, 2009 1:22 PM |
isn't that nice? another reason to abandon IE for a better browser  so that we don't have to run after Microsoft and its security patches that don't work
|
|
ColdPreacher on November 25, 2009 1:56 PM |
Its to bad the majority of users on IE are people who dont understand or know how to get other browsers installed and who probably don't even know there getting exploited. |
|
JMMD on November 25, 2009 1:59 PM |
Info: Cross-Site Scripting (XSS) vulnerabilities are usually programming errors made by web developers, which allow an attacker to inject his own malicious code from a certain site into a different site. They can be used, for instance, to steal your authentication credentials and, more in general, to impersonate you on the victim site (e.g. your online banking or your web mail). |
|
phantasm66 on November 25, 2009 2:00 PM |
Docnoq said: Dude, its a reference to the Windows 7 media ad campaign. Don't you want TV?phantasm66 said: The fact that there's an exploit in IE8 has nothing to do with PCs as a whole. This is a problem with a specific program, not an operating system."A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite." I'm a PC and I'm insecure as F**K! Back on topic, I find the actual quote that phantasm66 pulled out of the article quite amusing. 'A protection mechanism allows exact exploit it attempts to block.' Priceless. [link] Maybe think before you patronise people, eh? |
|
lightheart on November 25, 2009 2:15 PM |
No software is 100% secure and the bad guys simple look for what gives them the biggest bang for the buck. This is why we need layers of security, secure the OS, secure the Apps, secure the Network, etc. |
|
freedomthinker on November 25, 2009 2:25 PM |
You just know that these kind of thing will never end  When you fix one thing , it causes 2 new problems . You fix those problems, you open up a loop hole for the inevitable to happen once again , but i guess , its part of what makes life more interesting
|
|
levar on November 25, 2009 2:38 PM |
Adhmuz said: agreed, time to read about this "output encoding" it interests me. But I hope it doesn't get out in the wild, looking forward to M$'s response or action, patch..etc.One more reason not to use IE IMO. Why doesn't everyone just switch to something better. |
|
fada on November 25, 2009 2:42 PM |
everytime microsoft release something to do with internet explorer it usually takes a day before a major potential problem is found, this happens every time, im not even suprised anymore. |
|
tonylukac on November 25, 2009 2:51 PM |
Why is microsoft always slinging hash about these "security patches"? They just want you to think their actually doing something for your $350 or whatever the ultimate edition lists for. When are they going to fix the windows metafile vulnerabilites, where as you merely VISIT Facebook without downloading a thing and you obtain a virus COPIED INTO YOUR WINDOWS FOLDER? Its high time for an alternative, Chrome anyone? |
|
harby on November 25, 2009 4:08 PM |
Well, people will always strive to find vulnerabilities on everything. Especially when we're talking about a web browser with a huge market share. |
|
phantasm66 on November 25, 2009 4:29 PM |
I have not used Internet explorer regularly in as long as I can remember now. |
|
GACrabill on November 25, 2009 4:47 PM |
I'm sticking with IE and probably always will. It didn't have near as many security flaws in the last year that Firefix had. Microsoft has experts working to stay on top of the security issues. Firefox has a bunch of wannabe contributors and no centralized security oversight. And then there's the issue of Firefox add-ons created by whomever. As Firefox grows, so will the number of hackers breaking it. It will never be as totally secure as IE despite what the dreamers want to believe. |
|
fada on November 25, 2009 5:39 PM |
@Gacrabill IE is the most vulnerable Innernet browser out there, you cant just use statistics from one year that go against firefox, what about all the previous years in which explorer was shown to be the worst? And you say firefox will never be as secure as IE? what gives you this impression? the fact that there are more exploits available in explorer, by far, dwarfing all versions of firefox, or is it the fact that explorer is made by the biggest software company in the world and they have consistently been shown up by a company that survives on donations and search revenue from google? I think it is you who needs to stop dreaming! |
|
yorro on November 26, 2009 6:57 AM |
Sometimes I wonder if MS actually builds IE to be this crappy. I mean IE has been on the market longer than any browser, I am sure that their so called "development" team has improved a bit. |
|
Zeromus on November 27, 2009 1:36 PM |
They should peek at the source for firefox, oh yeah they'd copy the fox but who cares, makes IE better. |
|
jerry53 on November 27, 2009 8:38 PM |
why dont people get another browser ive seen people use ie 6 with no patches and they are soo confident to give in their bank account details why dont people do a little research |
|
Guest on November 27, 2009 8:41 PM |
Can someone get it right already, we use up space downloading all the latest stuff thinking that we are doing the best and the right thing and it turns out its not, and not everyone even has security so they are just sitting ducks 
|
|
swilllx2p on November 30, 2009 9:38 AM |
Yeah, sooo..normally I'd defend IE here a little because they are probably targeted most..but when you release a feature to stop something and it turns out doing nothing more then actually helping attackers do the same thing you meant to stop....well that's just pretty much pathetic. Hopefully they at least get it fixed before the attack is seen in the "wild". |
Most Popular
| Trending | Featured |
-
Chrome 17 released with "instant" browsing, improved security
-
Weekend game deals: Plants vs. Zombies $2, Mass Effect 2 $5
-
Windows 8 Consumer Preview coming Feb. 29, bundled apps leaked
-
Apple sued for $1.6 billion for using "iPad" in China, apology requested
-
Intel Core i7-3820 Review: Sandy Bridge-E for the masses