Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major IE8 Flaw Makes "Safe" Sites Unsafe

Posted by kdawson on from the keep-your-scripts-to-yourself dept.

After this weekend's report of a dangerous flaw in IE (which Microsoft confirmed today), intrudere points out an exclusive report in The Register on a new hole in IE8 that could allow an attacker to pull off cross-site scripting attacks on Web sites that ought, by rights, to be safe from XSS. This is according to two anonymous sources, who told El Reg that Microsoft had been notified of the vulnerability a few months ago.

8 of 83 comments (clear)

  1. See, Microsoft is right by Anonymous Coward · · Score: 5, Funny

    IE8 is compatible with sites designed for IE6. You won't see other browsers going the extra mile like this.

  2. Breaking News by BeaverAndrew · · Score: 5, Funny

    Oh my gosh! Internet explorer is not safe to use? This is incredible hot, breaking news to me.

    1. Re:Breaking News by palegray.net · · Score: 5, Funny
      I must dispute your view in the strongest terms possible. Internet Explorer is perfectly safe for everyday use. However, as there is no such thing as perfect security, you must take additional precautions to keep evil hackers away from your data. Apply these rules according to the sensitivity of your data, from least important to most:
      • Disconnect your computer from your local network. Download files on another computer, scan them for viruses, print them out, scan them into your Windows PC using ORC software, and then view the pages in IE.
      • Do the above, but have a priest onsite to bless each page individually before scanning it. This is an excellent deterrent against viruses with the word "demon" in the name.
      • Do the above, but encase your PC in acrylic and immerse it in a 10,000 gallon tank of holy water. Interact with it while wearing scuba gear.
      • Do the above, but put a lid on the tank and immerse it in the ocean. Interact with your PC via a submersible robot in the tank from from outside while wearing scuba gear.

      If you fail to follow these simple security guidelines, you can't blame Microsoft for the results.

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    2. Re:Breaking News by Penguinisto · · Score: 4, Insightful

      Internet Explorer is perfectly safe for everyday use.

      As long as you follow the old US gov't C3 security guidelines/settings for Windows NT 4.0 while you do it, sure.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
  3. In other news by Dartz-IRL · · Score: 5, Insightful

    Rain is wet....

    Despite MS best efforts, IE just won't shake it's 'insecure' tag, will it?

    Part of me wonders if perhaps these vulnerabilities aren't being made a big deal of because of the reputation of IE6. The rest of me which started using Firefox a long time ago just feels smug and superior.

    --
    So there I was, scribbling down some notes off the PC screen by hand, when I reached for the keyboard and Ctrl-S'd.
    1. Re:In other news by DJRumpy · · Score: 5, Insightful

      Yes, after months or years of testing. Had IE been standards compliant in the first place, without all of the OS specific hooks, many companies wouldn't be in this boat.

      It is not an insignificant effort to get off of IE 6, especially without many thousands of users, and hundreds or thousands of apps that will break, or require testing under Windows 7's Virtual PC software.

  4. Re:Ummm by lorenlal · · Score: 4, Funny

    Please go to the "a new hole in IE8" article.

    And if you're looking for the article to *read* it... yes, you are new here.

  5. Re:IE8 is *not* vulnerable by praseodym · · Score: 5, Informative

    Except, that was the FIRST security flaw linked in the article. The SECOND one (at The Register) is about a different security flaw, in the XSS filter. The XSS filter is new in IE8.

    And, BTW, Google does indeed disable it so that they are not vulnerable to the flaw: their servers send a "X-XSS-Protection: 0" header.