Feeds

Major IE8 flaw makes 'safe' sites unsafe

Microsoft's XSS buster busted

Using blade systems to cut costs and sharpen efficiencies

Exclusive The latest version of Microsoft's Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe.

The flaw in IE 8 can be exploited to introduce XSS, or cross-site scripting, errors on webpages that are otherwise safe, according to two Register sources, who discussed the bug on the condition they not be identified. Microsoft was notified of the vulnerability a few months ago, they said.

Ironically, the flaw resides in a protection added by Microsoft developers to IE 8 that's designed to prevent XSS attacks against sites. The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones. A Google spokesman confirmed there is a "significant flaw" in the IE 8 feature but declined to provide specifics.

It's not clear how the protections can cause XSS vulnerabilities in websites that are otherwise safe. Michael Coates - a senior application security engineer at Aspect Security who has closely studied the feature but was unaware of the vulnerability - speculates it may be possible to cause IE 8 to rewrite pages in such a way that the new values trigger an attack on a clean site.

"If the attacker can figure out a flaw in the way IE 8 is actually doing that output encoding and then create a specific string the attacker will know will be transformed into an actual attack, they could use that to input a value ... that actually results in an attack firing on the page," he said. "This could be a way to introduce an attack into a page that didn't have a vulnerability otherwise."

XSS attacks are a way of manipulating a site's URL to inject malicious code or content into a trusted webpage. Many security watchers have come to view the IE 8 protections as Microsoft's answer to NoScript, a popular extension that helps prevent XSS and other types of attacks against users of the Firefox browser.

Late on Thursday afternoon, Microsoft told The Register: "Microsoft is investigating new public claims of a vulnerability in Internet Explorer. We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."

Once its investigation is finished, the company will "take appropriate action," including issuing a patch or guidance on how users can protect themselves against exploits.

When Microsoft introduced the protections, it also created a way for webmasters to override the feature (by adding the response header "X-XSS-Protection: 0"). A review of the top 50 most visited websites shows that only web properties owned by Google have actually opted to do so. The small number of sites blocking the protection calls into question how widespread the vulnerability is.

Asked why Google was forgoing the protection, a company spokesman wrote in an email:

"We're aware of a significant flaw affecting the XSS Filter in IE8, and we've taken steps to help protect our users by disabling the mechanism on our properties until a fix has been released." He didn't elaborate.

In addition to potentially introducing serious vulnerabilities into webpages, the XSS protections can bring other undesirable results. That's because its engine frequently flags perfectly acceptable characters as potentially harmful. An examples of such a false positive is here.

David Ross, a senior software security engineer for Microsoft, has saiddevelopers designing the feature aimed to strike strike a pragmatic balance between protecting users and not breaking the web.

"We needed to find a way to make the filtering automatic and painless and thus provide maximum benefit to users," he wrote. "In summary, the XSS Filter will prove its worth by raising the bar and mitigating the types of XSS most commonly found across the web today, by default;, for users of Internet Explorer 8." ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.