By Dan Goodin in San Francisco
20th April 2010
Microsoft will release an update intended to rid Internet Explorer 8 of
a vulnerability that can enable serious security attacks against
websites that are otherwise safe.
The change, which will be introduced in June, will be the third time in
six months that Microsoft has tweaked a feature used to filter out XSS,
or cross-site scripting filter, attacks against websites. The filter,
which Microsoft introduced with the release of IE 8, is designed to
strip out malicious commands that exploit the vulnerabilities, which
plague many websites.
As The Register reported in November, the new XSS filter could be
exploited to introduce XSS attacks on sites that otherwise weren't
vulnerable. Microsoft has twice made changes to the feature, once in
January and again in March, but last week, researchers at the Black Hat
Security Conference in Barcelona showed the filter still injected
threats into sites that included Google, Wikipedia, Twitter and even
Microsoft's own Bing.
"This issue manifests when malicious script can 'break out' from within
a construct that is already within an existing script block," David
Ross, of Microsoft Security Response Center, said here. "While the issue
identified and addressed in MS10-002 was identified to exist on
high-profile websites, thus far real-world examples of the SCRIPT tag
neutering attack scenario have been hard to come by."
Register now for HITBSecConf2010 - Dubai, the premier
deep-knowledge network security event in the GCC,
featuring keynote speakers John Viega and Matt Watchinski!