IE8's XSS Filter Exposes Sites To XSS Attacks
Blue Taxes writes "The cross-site scripting filter that ships with Microsoft's Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat. The IE8 filter works by scanning outbound requests for strings that may be malicious. When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server's response, the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack cannot succeed. The researchers figured out a way to use IE8's altered response to conduct simple abuses and universal cross-site scripting attacks, which worked against sites that would not otherwise have been vulnerable to XSS." Here is the researchers' backgrounder (PDF) on the attack. Microsoft says that they have issued two patches that address the issue, but the researchers insist that holes remain.
Update: 04/20 14:06 GMT by KD : Microsoft's Security Response Center has issued a statement on the vulnerability.
Update: 04/20 14:06 GMT by KD : Microsoft's Security Response Center has issued a statement on the vulnerability.
stick to IE6. Long live Internet Explorer 6!
Close, but no cigar.
Really, if you want a first post, subscribe to the site. You will get your silly kicks, and the rest of us will at least know you are making a valuable contribution to the site by paying the rest of the users to be silly.
Moved to http://soylentnews.org/. You are invited to join us too!
As usually they have a disclaimer too:
*This posting is provided "AS IS" with no warranties, and confers no rights*
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Nah, it's more like this:
$ make meal ./meal
[tons of compiler output]
$
Segmentation Fault. Core dumped.
Colorless green Cthulhu waits dreaming furiously.
I'm sure your user will be deeply affected by this.