Security feature in IE8 exposes sites to XSS attacks

By Justin Mann on November 25, 2009, 12:40 PM
A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite. According to The Register, this flaw enables cross-site scripting errors to be introduced on websites that are otherwise completely safe by rewriting pages using a technique known as output encoding.

There is no definite explanation as how the flaw is exploited, but it is speculated that the attacker could use the XSS protection of Internet Explorer 8 against itself by manipulating the server's response, creating a string he knows will be substituted to a certain value and offer a way to introduce an attack into a page.

Microsoft is currently investigating the vulnerability and promised to take appropriate action, but claims they have received no reports of it being actively exploited in the wild. Other sites, such as Google, indicated they were taking the threat seriously and have taken steps to avoid being compromised.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.