Security feature in IE8 exposes sites to XSS attacks

By Justin Mann on November 25, 2009, 12:40 PM
A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite. According to The Register, this flaw enables cross-site scripting errors to be introduced on websites that are otherwise completely safe by rewriting pages using a technique known as output encoding.

There is no definite explanation as how the flaw is exploited, but it is speculated that the attacker could use the XSS protection of Internet Explorer 8 against itself by manipulating the server's response, creating a string he knows will be substituted to a certain value and offer a way to introduce an attack into a page.

Microsoft is currently investigating the vulnerability and promised to take appropriate action, but claims they have received no reports of it being actively exploited in the wild. Other sites, such as Google, indicated they were taking the threat seriously and have taken steps to avoid being compromised.




User Comments: 25

Got something to say? Post a comment
fref said:

Can someone explain what "XSS protection" is in Internet Explorer 8? I've never heard about that before.

Adhmuz Adhmuz, TechSpot Paladin, said:

One more reason not to use IE IMO. Why doesn't everyone just switch to something better.

Phantasm66 Phantasm66 said:

"A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite."

I'm a PC and I'm insecure as F**K!

Docnoq said:

phantasm66 said:

"A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite."

I'm a PC and I'm insecure as F**K!

The fact that there's an exploit in IE8 has nothing to do with PCs as a whole. This is a problem with a specific program, not an operating system.

Back on topic, I find the actual quote that phantasm66 pulled out of the article quite amusing. 'A protection mechanism allows exact exploit it attempts to block.' Priceless.

Serag said:

Another reason added to the list of " ## reason's why you should convert from IE "

klepto12 klepto12, TechSpot Paladin, said:

Wow microsoft knows how to make them huh. everytime i see news on microsoft i laugh just a little i mean everyone knows IE is a crappy browser with tons of security problems but come on this is supposed to be a security feature to protect you and they cant even code it right. atleast they did us right with windows 7 even though we had to put up with vista.

paynetrain007 said:

Thats why we use firefox. The only thing that worse then IE is Safari.

lupinnktp said:

isn't that nice? another reason to abandon IE for a better browser so that we don't have to run after Microsoft and its security patches that don't work

ColdPreacher said:

Its to bad the majority of users on IE are people who dont understand or know how to get other browsers installed and who probably don't even know there getting exploited.

JMMD JMMD, TechSpot Chancellor, said:

Info:

Cross-Site Scripting (XSS) vulnerabilities are usually programming errors made by web developers, which allow an attacker to inject his own malicious code from a certain site into a different site. They can be used, for instance, to steal your authentication credentials and, more in general, to impersonate you on the victim site (e.g. your online banking or your web mail).

Phantasm66 Phantasm66 said:

Docnoq said:

phantasm66 said:

"A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite."

I'm a PC and I'm insecure as F**K!

The fact that there's an exploit in IE8 has nothing to do with PCs as a whole. This is a problem with a specific program, not an operating system.

Back on topic, I find the actual quote that phantasm66 pulled out of the article quite amusing. 'A protection mechanism allows exact exploit it attempts to block.' Priceless.

Dude, its a reference to the Windows 7 media ad campaign. Don't you want TV?

[link]

Maybe think before you patronise people, eh?

LightHeart said:

No software is 100% secure and the bad guys simple look for what gives them the biggest bang for the buck. This is why we need layers of security, secure the OS, secure the Apps, secure the Network, etc.

freedomthinker said:

You just know that these kind of thing will never end When you fix one thing , it causes 2 new problems . You fix those problems, you open up a loop hole for the inevitable to happen once again , but i guess , its part of what makes life more interesting

levar said:

Adhmuz said:

One more reason not to use IE IMO. Why doesn't everyone just switch to something better.

agreed, time to read about this "output encoding" it interests me. But I hope it doesn't get out in the wild, looking forward to M$'s response or action, patch..etc.

Fada said:

everytime microsoft release something to do with internet explorer it usually takes a day before a major potential problem is found, this happens every time, im not even suprised anymore.

tonylukac said:

Why is microsoft always slinging hash about these "security patches"? They just want you to think their actually doing something for your $350 or whatever the ultimate edition lists for. When are they going to fix the windows metafile vulnerabilites, where as you merely VISIT Facebook without downloading a thing and you obtain a virus COPIED INTO YOUR WINDOWS FOLDER? Its high time for an alternative, Chrome anyone?

harby said:

Well, people will always strive to find vulnerabilities on everything. Especially when we're talking about a web browser with a huge market share.

Phantasm66 Phantasm66 said:

I have not used Internet explorer regularly in as long as I can remember now.

GACrabill said:

I'm sticking with IE and probably always will. It didn't have near as many security flaws in the last year that Firefix had. Microsoft has experts working to stay on top of the security issues. Firefox has a bunch of wannabe contributors and no centralized security oversight. And then there's the issue of Firefox add-ons created by whomever. As Firefox grows, so will the number of hackers breaking it. It will never be as totally secure as IE despite what the dreamers want to believe.

Fada said:

@Gacrabill

IE is the most vulnerable Innernet browser out there, you cant just use statistics from one year that go against firefox, what about all the previous years in which explorer was shown to be the worst?

And you say firefox will never be as secure as IE? what gives you this impression? the fact that there are more exploits available in explorer, by far, dwarfing all versions of firefox, or is it the fact that explorer is made by the biggest software company in the world and they have consistently been shown up by a company that survives on donations and search revenue from google?

I think it is you who needs to stop dreaming!

yorro said:

Sometimes I wonder if MS actually builds IE to be this crappy. I mean IE has been on the market longer than any browser, I am sure that their so called "development" team has improved a bit.

Zeromus said:

They should peek at the source for firefox, oh yeah they'd copy the fox but who cares, makes IE better.

jerry53 said:

why dont people get another browser ive seen people use ie 6 with no patches and they are soo confident to give in their bank account details why dont people do a little research

Guest said:

Can someone get it right already, we use up space downloading all the latest stuff thinking that we are doing the best and the right thing and it turns out its not, and not everyone even has security so they are just sitting ducks :)

swilllx2p said:

Yeah, sooo..normally I'd defend IE here a little because they are probably targeted most..but when you release a feature to stop something and it turns out doing nothing more then actually helping attackers do the same thing you meant to stop....well that's just pretty much pathetic. Hopefully they at least get it fixed before the attack is seen in the "wild".

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.