On the heels of a Black Hat EU presentation that exposed security problems with the cross-site scripting (XSS) filter in Internet Explorer 8, Microsoft plans to ship an update to the filter to fix what is hopefully the last remaining attack scenario.
During the conference presentation, a pair of researchers warned that the the browser’s built-in XSS filter can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat.
The researchers released demos to show that the issue introduces security problems at several high-profile sites, including Microsoft’s own Bing.com, Google.com, Wikipedia.org and Twitter.com.
Microsoft shipped two separate updates recently — MS10-002 and MS10-018 — with defense-in-depth changes that addressed the bulk of the problems discussed at the conference and a new update is scheduled for June 2006 to fix another attack scenario.
David Ross from the Microsoft Security Response Center explains:
An additional update to the IE XSS Filter is currently scheduled for release in June. This change will address a SCRIPT tag attack scenario described in the Blackhat EU presentation. This issue manifests when malicious script can “break out” from within a construct that is already within an existing script block. While the issue identified and addressed in MS10-002 was identified to exist on high-profile web sites, thus far real-world examples of the SCRIPT tag neutering attack scenario have been hard to come by.
Despite the hiccups, Ross argued that it’s important to use a browser with an XSS Filter, as the benefits of protection from a large class of attacks outweigh the potential risks from vulnerabilities in most cases.