IE 8 browser can be abused by hackers to launch cross-site scripting attacks
April 20, 2010
It has just been discovered that the cross-site scripting filter that already ships with Microsoft’s Internet Explorer 8 browser can be severely abused by potential hackers to launch cross-site scripting attacks on Web sites that would otherwise be immune to this specific threat.
The security flaw also causes other issues at several high-profile websites, including Microsoft’s own Bing.com, Google, Wikipedia, Twitter and just about any site that lets IE 8 users create profiles.
Microsoft added the anti-XSS feature in IE 8 in August 2009 to detect Type-1 attacks that can lead to cookie theft, keystroke logging, website defacement and credentials theft.
But as the researchers discovered, Microsoft’s filters work by scanning outbound requests for strings that may be malicious in nature.
When such a malicious string is detected, IE 8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server’s response then the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful to whomever initiated it.
The exact method used to alter a server’s response is a crucial component in preventing XSS attacks. If the attack is not properly neutralized then a malicious script may stil execute. On the other hand, it is also crucial that benign requests are not accidentally detected.
Security analysts figured out a way to use the IE 8’s altered response to conduct simple abuses and universal cross-site scripting attacks.
Jerry Bryant, a spokesman for Microsoft’s security response team, said that most of the security issues described were already fixed with the MS10-002 security patch, which was released for IE users earlier in February.
“Microsoft also added a defense-in-depth change (MS10-018) later in March to provide broader coverage for this type of attack scenario,” Bryant said.
But not all of the security issues have been fixed and the browser’s XSS filter is still introducing security risks on certain web sites.
Until this security hole is properly analyzed and carefully repaired, the researchers recommend the following server-side mitigations:
Microsoft's next 'Patch Tuesday' is only slated for May 11, so some IE 8 users are now hoping that nothing will happen until then abd that their systems will run normally.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing