Major Internet Explorer 8 Flaw Makes & Sites Unsafe

November 23rd, 2009

Major Internet Explorer 8 Flaw Makes ‘Safe’ Sites Unsafe

The latest version of Microsoft’s Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe. The flaw in IE 8 can be exploited to introduce XSS, or cross-site scripting, errors on webpages that are otherwise safe. Microsoft was notified of the vulnerability a few months ago.

Ironically, the flaw resides in a protection added by Microsoft developers to IE 8 that’s designed to prevent XSS attacks against sites. The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones. A Google spokesman confirmed there is a “significant flaw” in the IE 8 feature but declined to provide specifics.

It’s not clear how the protections can cause XSS vulnerabilities in websites that are otherwise safe. Michael Coates – a senior application security engineer at Aspect Security who has closely studied the feature but was unaware of the vulnerability – speculates it may be possible to cause IE 8 to rewrite pages in such a way that the new values trigger an attack on a clean site.

“If the attacker can figure out a flaw in the way IE 8 is actually doing that output encoding and then create a specific string the attacker will know will be transformed into an actual attack, they could use that to input a value … that actually results in an attack firing on the page,” he said. “This could be a way to introduce an attack into a page that didn’t have a vulnerability otherwise.”

XSS attacks are a way of manipulating a site’s URL to inject malicious code or content into a trusted webpage. Many security watchers have come to view the IE 8 protections as Microsoft’s answer to NoScript, a popular extension that helps prevent XSS and other types of attacks against users of the Firefox browser.

When Microsoft introduced the protections, it also created a way for webmasters to override the feature (by adding the response header “X-XSS-Protection: 0″). A review of the top 50 most visited websites shows that only web properties owned by Google have actually opted to do so. The small number of sites blocking the protection calls into question how widespread the vulnerability is.

In addition to potentially introducing serious vulnerabilities into webpages, the XSS protections can bring other undesirable results. That’s because its engine frequently flags perfectly acceptable characters as potentially harmful. An examples of such a false positive is here.

David Ross, a senior software security engineer for Microsoft, has said developers designing the feature aimed to strike strike a pragmatic balance between protecting users and not breaking the web.

“We needed to find a way to make the filtering automatic and painless and thus provide maximum benefit to users,” he wrote. “In summary, the XSS Filter will prove its worth by raising the bar and mitigating the types of XSS most commonly found across the web today, by default;, for users of Internet Explorer 8.”

Credit: The Register

Share this item with others:

More on CyberInsecure:

Microsoft Discovers Flaw In Google Plug-in For Internet Explorer

Computers With Internet Explorer And Google Chrome Installed Are At Risk

Cross-Site Scripting Vulnerability On Paypal Could Be Used In Phishing Attacks

AVG Free Security Scanner Goes Multi-Lingual

Pressing F1 In Internet Explorer Might Allow Malware Installation In Older Windows Versions

Posted in Microsoft, Software, Vulnerabilities, Windows |

Print This Post

This entry was posted on Monday, November 23rd, 2009 at 4:24 pm and is filed under Microsoft, Software, Vulnerabilities, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.