Security feature in IE8 exposes sites to XSS attacks

Status
Not open for further replies.

Justin

Posts: 914   +0

A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite. According to The Register, this flaw enables cross-site scripting errors to be introduced on websites that are otherwise completely safe by rewriting pages using a technique known as output encoding.

There is no definite explanation as how the flaw is exploited, but it is speculated that the attacker could use the XSS protection of Internet Explorer 8 against itself by manipulating the server's response, creating a string he knows will be substituted to a certain value and offer a way to introduce an attack into a page.

Microsoft is currently investigating the vulnerability and promised to take appropriate action, but claims they have received no reports of it being actively exploited in the wild. Other sites, such as Google, indicated they were taking the threat seriously and have taken steps to avoid being compromised.

Permalink to story.

 
Can someone explain what "XSS protection" is in Internet Explorer 8? I've never heard about that before.
 
One more reason not to use IE IMO. Why doesn't everyone just switch to something better.
 
"A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite."

I'm a PC and I'm insecure as F**K!
 
phantasm66 said:
"A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite."

I'm a PC and I'm insecure as F**K!

The fact that there's an exploit in IE8 has nothing to do with PCs as a whole. This is a problem with a specific program, not an operating system.

Back on topic, I find the actual quote that phantasm66 pulled out of the article quite amusing. 'A protection mechanism allows exact exploit it attempts to block.' Priceless.
 
Wow microsoft knows how to make them huh. everytime i see news on microsoft i laugh just a little i mean everyone knows IE is a crappy browser with tons of security problems but come on this is supposed to be a security feature to protect you and they cant even code it right. atleast they did us right with windows 7 even though we had to put up with vista.
 
isn't that nice? another reason to abandon IE for a better browser :D so that we don't have to run after Microsoft and its security patches that don't work
 
Its to bad the majority of users on IE are people who dont understand or know how to get other browsers installed and who probably don't even know there getting exploited.
 
Info:
Cross-Site Scripting (XSS) vulnerabilities are usually programming errors made by web developers, which allow an attacker to inject his own malicious code from a certain site into a different site. They can be used, for instance, to steal your authentication credentials and, more in general, to impersonate you on the victim site (e.g. your online banking or your web mail).
 
Docnoq said:
phantasm66 said:
"A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite."

I'm a PC and I'm insecure as F**K!

The fact that there's an exploit in IE8 has nothing to do with PCs as a whole. This is a problem with a specific program, not an operating system.

Back on topic, I find the actual quote that phantasm66 pulled out of the article quite amusing. 'A protection mechanism allows exact exploit it attempts to block.' Priceless.

Dude, its a reference to the Windows 7 media ad campaign. Don't you want TV?

http://arstechnica.com/microsoft/news/2009/10/im-a-pc-and-windows-7-was-my-idea.ars

Maybe think before you patronise people, eh?
 
No software is 100% secure and the bad guys simple look for what gives them the biggest bang for the buck. This is why we need layers of security, secure the OS, secure the Apps, secure the Network, etc.
 
You just know that these kind of thing will never end ;) When you fix one thing , it causes 2 new problems . You fix those problems, you open up a loop hole for the inevitable to happen once again , but i guess , its part of what makes life more interesting ;)
 
Adhmuz said:
One more reason not to use IE IMO. Why doesn't everyone just switch to something better.

agreed, time to read about this "output encoding" it interests me. But I hope it doesn't get out in the wild, looking forward to M$'s response or action, patch..etc.
 
everytime microsoft release something to do with internet explorer it usually takes a day before a major potential problem is found, this happens every time, im not even suprised anymore.
 
Why is microsoft always slinging hash about these "security patches"? They just want you to think their actually doing something for your $350 or whatever the ultimate edition lists for. When are they going to fix the windows metafile vulnerabilites, where as you merely VISIT Facebook without downloading a thing and you obtain a virus COPIED INTO YOUR WINDOWS FOLDER? Its high time for an alternative, Chrome anyone?
 
Well, people will always strive to find vulnerabilities on everything. Especially when we're talking about a web browser with a huge market share.
 
I'm sticking with IE and probably always will. It didn't have near as many security flaws in the last year that Firefix had. Microsoft has experts working to stay on top of the security issues. Firefox has a bunch of wannabe contributors and no centralized security oversight. And then there's the issue of Firefox add-ons created by whomever. As Firefox grows, so will the number of hackers breaking it. It will never be as totally secure as IE despite what the dreamers want to believe.
 
@Gacrabill
IE is the most vulnerable Innernet browser out there, you cant just use statistics from one year that go against firefox, what about all the previous years in which explorer was shown to be the worst?
And you say firefox will never be as secure as IE? what gives you this impression? the fact that there are more exploits available in explorer, by far, dwarfing all versions of firefox, or is it the fact that explorer is made by the biggest software company in the world and they have consistently been shown up by a company that survives on donations and search revenue from google?
I think it is you who needs to stop dreaming!
 
Sometimes I wonder if MS actually builds IE to be this crappy. I mean IE has been on the market longer than any browser, I am sure that their so called "development" team has improved a bit.
 
They should peek at the source for firefox, oh yeah they'd copy the fox but who cares, makes IE better.
 
why dont people get another browser ive seen people use ie 6 with no patches and they are soo confident to give in their bank account details why dont people do a little research
 
Can someone get it right already, we use up space downloading all the latest stuff thinking that we are doing the best and the right thing and it turns out its not, and not everyone even has security so they are just sitting ducks :)
 
Status
Not open for further replies.
Back