Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major IE8 Flaw Makes "Safe" Sites Unsafe

Posted by kdawson on from the keep-your-scripts-to-yourself dept.

After this weekend's report of a dangerous flaw in IE (which Microsoft confirmed today), intrudere points out an exclusive report in The Register on a new hole in IE8 that could allow an attacker to pull off cross-site scripting attacks on Web sites that ought, by rights, to be safe from XSS. This is according to two anonymous sources, who told El Reg that Microsoft had been notified of the vulnerability a few months ago.

6 of 83 comments (clear)

  1. IE8 is *not* vulnerable by Anonymous Coward · · Score: 0, Informative

    According to the Microsoft Security Advisor 977981 IE5 and IE8 are *not* vulnerables:

    http://www.microsoft.com/technet/security/advisory/977981.mspx

    1. Re:IE8 is *not* vulnerable by praseodym · · Score: 5, Informative

      Except, that was the FIRST security flaw linked in the article. The SECOND one (at The Register) is about a different security flaw, in the XSS filter. The XSS filter is new in IE8.

      And, BTW, Google does indeed disable it so that they are not vulnerable to the flaw: their servers send a "X-XSS-Protection: 0" header.

  2. Re:In other news by Anonymous Coward · · Score: 0, Informative

    I thought 2 other independent studies just showed that Firefox has more vulnerabilities than IE8. At least there was a /. submission about it. Selective readers.

  3. Re:In other news by lorenlal · · Score: 2, Informative

    As long as you have UAC enabled... Implying that you have Vista or Windows 7.

  4. Re:In other news by quickOnTheUptake · · Score: 2, Informative

    You mean the article that only a single pie graph comparing browsers? And no discussion at all of where he got his list of vulnerabilities from?
    I don't think it is that they are selective, just that they refused to accept numbers on faith alone.

    --
    Mod points: Guaranteed to remove your sense of humor.
    Side effects may include gullibility and temporary retardation
  5. Re:In other news by Anonymous Coward · · Score: 2, Informative

    You didn't RTFA. The flaw is located in normal user-mode code. Nothing about the flaw is in any way amplified or exacerbated by any perceived OS integration.
    And for that matter, IE has been a normal program from day one, however much MS may choose to deny that. IE is only a part of the OS in the sense that its rendering engine is used by the help system and the like. Is Konqueror part of the Linux kernel? Of course not.