25 November 2009, 15:26

Security feature of Internet Explorer 8 unsafe

The cross-site scripting (XSS) protection introduced in Internet Explorer 8 reportedly contains vulnerabilities that make otherwise immune web pages vulnerable. Attackers can, for example, exploit the holes to inject arbitrary JavaScript code in a HTML page and execute it within the context of an otherwise secure page. This allows the attackers to retrieve, for example, cookies or to post forum comments on behalf of the inadvertent victim – there have been enough examples for XSS worms in the past. Reportedly Microsoft has known of the problem for months, but hasn't responded so far.

No details about the cause of the problem have become available. According to Giorgio Maone, who developed the NoScript plug-in for Firefox, the cause is a fundamental design flaw. Maone said he discovered the problem while he and other developers analysed various XSS protection mechanisms in browsers. However, the developer told The H's associates at heise Security that he only wants to publish his information once a solution has been found, adding that those who know how the XSS filter of IE8 works won't have difficulties with reproducing the problem.

Unlike NoScript, the XSS protection of Internet Explorer 8 filters server responses, rather than client requests, for suspicious code – and modifies them if required. This apparently allows attackers to manipulate the server's response and inject arbitrary code. However, Maone said that the attacker must have a certain amount of control over the content of the page accessed by the victim. This is, for example, the case on social networking pages, on forums, in wikis and in principle also in Google apps. However, Google disables IE's XSS filter by sending the X-XSS-Protection: 0 header, which makes it immune. Google reportedly took this action for security reasons. The vendor apparently already knew about the vulnerability in IE and said it wants to protect users until Microsoft has released a patch.

See also: