Security feature in IE8 exposes sites to XSS attacks

By Justin ยท 25 replies
Nov 25, 2009
  1. A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite. According to The Register, this flaw enables cross-site scripting errors to be introduced on websites that are otherwise completely safe by rewriting pages using a technique known as output encoding.

    Read the whole story
  2. fref

    fref TS Enthusiast Posts: 153

    Can someone explain what "XSS protection" is in Internet Explorer 8? I've never heard about that before.
  3. Adhmuz

    Adhmuz TechSpot Paladin Posts: 1,828   +633

    One more reason not to use IE IMO. Why doesn't everyone just switch to something better.
  4. Phantasm66

    Phantasm66 TS Rookie Posts: 5,734   +8

    "A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite."

    I'm a PC and I'm insecure as F**K!
  5. Docnoq

    Docnoq TS Booster Posts: 143

    The fact that there's an exploit in IE8 has nothing to do with PCs as a whole. This is a problem with a specific program, not an operating system.

    Back on topic, I find the actual quote that phantasm66 pulled out of the article quite amusing. 'A protection mechanism allows exact exploit it attempts to block.' Priceless.
  6. Serag

    Serag TS Booster Posts: 181

    Another reason added to the list of " ## reason's why you should convert from IE "
  7. klepto12

    klepto12 TechSpot Paladin Posts: 1,115   +9

    Wow microsoft knows how to make them huh. everytime i see news on microsoft i laugh just a little i mean everyone knows IE is a crappy browser with tons of security problems but come on this is supposed to be a security feature to protect you and they cant even code it right. atleast they did us right with windows 7 even though we had to put up with vista.
  8. paynetrain007

    paynetrain007 TS Rookie Posts: 88

    Thats why we use firefox. The only thing that worse then IE is Safari.
  9. lupinnktp

    lupinnktp TS Rookie Posts: 44

    isn't that nice? another reason to abandon IE for a better browser :D so that we don't have to run after Microsoft and its security patches that don't work
  10. ColdPreacher

    ColdPreacher TS Rookie Posts: 56

    Its to bad the majority of users on IE are people who dont understand or know how to get other browsers installed and who probably don't even know there getting exploited.
  11. JMMD

    JMMD TechSpot Chancellor Posts: 854

    Cross-Site Scripting (XSS) vulnerabilities are usually programming errors made by web developers, which allow an attacker to inject his own malicious code from a certain site into a different site. They can be used, for instance, to steal your authentication credentials and, more in general, to impersonate you on the victim site (e.g. your online banking or your web mail).
  12. Phantasm66

    Phantasm66 TS Rookie Posts: 5,734   +8

    Dude, its a reference to the Windows 7 media ad campaign. Don't you want TV?

    Maybe think before you patronise people, eh?
  13. LightHeart

    LightHeart TS Rookie Posts: 155

    No software is 100% secure and the bad guys simple look for what gives them the biggest bang for the buck. This is why we need layers of security, secure the OS, secure the Apps, secure the Network, etc.
  14. freedomthinker

    freedomthinker TS Enthusiast Posts: 140

    You just know that these kind of thing will never end ;) When you fix one thing , it causes 2 new problems . You fix those problems, you open up a loop hole for the inevitable to happen once again , but i guess , its part of what makes life more interesting ;)
  15. levar

    levar TS Rookie Posts: 229

    agreed, time to read about this "output encoding" it interests me. But I hope it doesn't get out in the wild, looking forward to M$'s response or action, patch..etc.
  16. Fada

    Fada TS Rookie Posts: 34

    everytime microsoft release something to do with internet explorer it usually takes a day before a major potential problem is found, this happens every time, im not even suprised anymore.
  17. tonylukac

    tonylukac TS Evangelist Posts: 1,372   +69

    Why is microsoft always slinging hash about these "security patches"? They just want you to think their actually doing something for your $350 or whatever the ultimate edition lists for. When are they going to fix the windows metafile vulnerabilites, where as you merely VISIT Facebook without downloading a thing and you obtain a virus COPIED INTO YOUR WINDOWS FOLDER? Its high time for an alternative, Chrome anyone?
  18. harby

    harby TS Enthusiast Posts: 37

    Well, people will always strive to find vulnerabilities on everything. Especially when we're talking about a web browser with a huge market share.
  19. Phantasm66

    Phantasm66 TS Rookie Posts: 5,734   +8

    I have not used Internet explorer regularly in as long as I can remember now.
  20. GACrabill

    GACrabill TS Enthusiast Posts: 49   +9

    I'm sticking with IE and probably always will. It didn't have near as many security flaws in the last year that Firefix had. Microsoft has experts working to stay on top of the security issues. Firefox has a bunch of wannabe contributors and no centralized security oversight. And then there's the issue of Firefox add-ons created by whomever. As Firefox grows, so will the number of hackers breaking it. It will never be as totally secure as IE despite what the dreamers want to believe.
  21. Fada

    Fada TS Rookie Posts: 34

    IE is the most vulnerable Innernet browser out there, you cant just use statistics from one year that go against firefox, what about all the previous years in which explorer was shown to be the worst?
    And you say firefox will never be as secure as IE? what gives you this impression? the fact that there are more exploits available in explorer, by far, dwarfing all versions of firefox, or is it the fact that explorer is made by the biggest software company in the world and they have consistently been shown up by a company that survives on donations and search revenue from google?
    I think it is you who needs to stop dreaming!
  22. yorro

    yorro TS Booster Posts: 251

    Sometimes I wonder if MS actually builds IE to be this crappy. I mean IE has been on the market longer than any browser, I am sure that their so called "development" team has improved a bit.
  23. Zeromus

    Zeromus TS Booster Posts: 227   +7

    They should peek at the source for firefox, oh yeah they'd copy the fox but who cares, makes IE better.
  24. jerry53

    jerry53 TS Rookie Posts: 25

    why dont people get another browser ive seen people use ie 6 with no patches and they are soo confident to give in their bank account details why dont people do a little research
  25. Can someone get it right already, we use up space downloading all the latest stuff thinking that we are doing the best and the right thing and it turns out its not, and not everyone even has security so they are just sitting ducks :)
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...