IE8's XSS Filter Exposes Sites To XSS Attacks
Blue Taxes writes "The cross-site scripting filter that ships with Microsoft's Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat. The IE8 filter works by scanning outbound requests for strings that may be malicious. When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server's response, the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack cannot succeed. The researchers figured out a way to use IE8's altered response to conduct simple abuses and universal cross-site scripting attacks, which worked against sites that would not otherwise have been vulnerable to XSS." Here is the researchers' backgrounder (PDF) on the attack. Microsoft says that they have issued two patches that address the issue, but the researchers insist that holes remain.
Update: 04/20 14:06 GMT by KD : Microsoft's Security Response Center has issued a statement on the vulnerability.
Update: 04/20 14:06 GMT by KD : Microsoft's Security Response Center has issued a statement on the vulnerability.
An additional update to the IE XSS Filter is currently scheduled for release in June. This change will address a SCRIPT tag attack scenario described in the Blackhat EU presentation. This issue manifests when malicious script can “break out” from within a construct that is already within an existing script block. While the issue identified and addressed in MS10-002 was identified to exist on high-profile web sites, thus far real-world examples of the SCRIPT tag neutering attack scenario have been hard to come by.
(emphasis mine)
JUNE??? They are waiting until JUNE to "schedule the release" for this bugfix? And what is this "hard to come by", either they have found examples or they haven't. My guess is they have or they would have been quick to state "we have found no examples in the wild". And somehow, I don't know, maybe someone giving a presentation on the topic might signify that others know about this too and may be actively taking advantage of it now? Maybe a teensy chance of that?
<sarcasm>Yes, folks, that's why you pay Microsoft all the big bucks. Their process seems to work so well... maybe they can work this into a regular Patch Tuesday so you don't have to reboot your servers / schedule an outage so many times that week.</sarcasm>
This is fast-food software design, cheap and not particularly good for you. This is what you get when people have low expectations and are sensitive only to price -- how many patch Tuesdays so far this year didn't affect every version of IE, every version of Office and every recent version of Windows (and for most of these, require reboots)? It's way beyond sad and way past "whoops" when a major software manufacturer has this many bugfixes and problems with almost all of their software. Yes, software is complicated, but slow down and implement some quality control techniques for goodness' sake.
This is just churning turds for profit, and we're stupid enough to eat them.
April is the cruellest month, breeding
Bugs out of the crap app, delaying
Fixes and patches, stirring
Angry geeks with slashdot dupe.
Colorless green Cthulhu waits dreaming furiously.
The only thing crazier than a dynamically generated regex is running a proprietary browser on top of a proprietary operating system.
The one case that has not been addressed by the filters is very rare and extremely unlikely to be found on a given websites.
Between now and June 8th? That's seven weeks! Seems we're lucky that we're not waiting until June 14th this year.