IE8's XSS Filter Exposes Sites To XSS Attacks 84
Blue Taxes writes "The cross-site scripting filter that ships with Microsoft's Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat. The IE8 filter works by scanning outbound requests for strings that may be malicious. When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server's response, the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack cannot succeed. The researchers figured out a way to use IE8's altered response to conduct simple abuses and universal cross-site scripting attacks, which worked against sites that would not otherwise have been vulnerable to XSS." Here is the researchers' backgrounder (PDF) on the attack. Microsoft says that they have issued two patches that address the issue, but the researchers insist that holes remain.
Update: 04/20 14:06 GMT by KD : Microsoft's Security Response Center has issued a statement on the vulnerability.
Update: 04/20 14:06 GMT by KD : Microsoft's Security Response Center has issued a statement on the vulnerability.
Not my site... (Score:1, Interesting)
Not if IE8 wanders over to my site. Any version of IE gets a header redirect straight to the eu browser choice web site.
It will remain so indefinitely unless (Which I doubt) IE9 becomes ECMA javascript compliant and w3c standards compliant. Neither of which any existing single version of Internet explorer is.
I made the decision as a result of the IE attacks on Google and IE's failure to correctly render the site's w3c validated css and xml template correctly.
I haven't found any other major browser that can't render it correctly. Even webkit enabled phones have no trouble.
The sooner everyone starts doing the same, the safer the web will be and the easier web developer's jobs will be.
Web sites don't need Internet explorer. Internet Explorer needs websites.
Re:Microsoft's response (Score:4, Interesting)
An additional update to the IE XSS Filter is currently scheduled for release in June. This change will address a SCRIPT tag attack scenario described in the Blackhat EU presentation. This issue manifests when malicious script can “break out” from within a construct that is already within an existing script block. While the issue identified and addressed in MS10-002 was identified to exist on high-profile web sites, thus far real-world examples of the SCRIPT tag neutering attack scenario have been hard to come by.
(emphasis mine)
JUNE??? They are waiting until JUNE to "schedule the release" for this bugfix? And what is this "hard to come by", either they have found examples or they haven't. My guess is they have or they would have been quick to state "we have found no examples in the wild". And somehow, I don't know, maybe someone giving a presentation on the topic might signify that others know about this too and may be actively taking advantage of it now? Maybe a teensy chance of that?
<sarcasm>Yes, folks, that's why you pay Microsoft all the big bucks. Their process seems to work so well... maybe they can work this into a regular Patch Tuesday so you don't have to reboot your servers / schedule an outage so many times that week.</sarcasm>
This is fast-food software design, cheap and not particularly good for you. This is what you get when people have low expectations and are sensitive only to price -- how many patch Tuesdays so far this year didn't affect every version of IE, every version of Office and every recent version of Windows (and for most of these, require reboots)? It's way beyond sad and way past "whoops" when a major software manufacturer has this many bugfixes and problems with almost all of their software. Yes, software is complicated, but slow down and implement some quality control techniques for goodness' sake.
This is just churning turds for profit, and we're stupid enough to eat them.
Re:Microsoft's response (Score:2, Interesting)
April is the cruellest month, breeding
Bugs out of the crap app, delaying
Fixes and patches, stirring
Angry geeks with slashdot dupe.
Re:Oh the horrors! (Score:2, Interesting)
Re:Oh the horrors! (Score:0, Interesting)
The only thing crazier than running a proprietary browser on top of a proprietary operating system is running a browser whose code you have not thoroughly audited yourself on top of an operating system whose code you have not thoroughly audited yourself (and believing yourself somehow vastly superior to all 'them' who don't do as you do).
Re:Oh the horrors! (Score:1, Interesting)
And in any case, you're still running on proprietary hardware, anyway.
Re:Microsoft's response (Score:3, Interesting)
The one case that has not been addressed by the filters is very rare and extremely unlikely to be found on a given websites.
Between now and June 8th? That's seven weeks! Seems we're lucky that we're not waiting until June 14th this year.