A bug in Microsoft’s Internet Explorer has left users of the popular browser vulnerable to cross-site scripting attacks, according to researchers at the security firm Imperva Data Security.
The flaw stems from an error in the way double quotes are encoded by IE. According to Imperva’s Rob Rachwald, it could have some serious consequences for websites that support IE.
Imperva researchers discovered that IE fails to encode double quote characters in the query part of the uniform resource identifier (URI) using a hexadecimal equivalent, as it should, according to the IETF RFC 3986, which spells out proper URI syntax. According to that document, double quote characters (“”) should be rendered as %22 when they appear in URIs. While IE does this for some parts of a URI, double quotes that appear in the query component of a URI are not translated – a lapse that could cause IE browsers to splice a malicious link or other attack code into a URI.
The problem with double quotes characters is not present in competing browsers such as Firefox and Google Chrome, Rachwald said.
Website developers operate under the assumption that requests coming from IE are properly encoded by the browser.
Imperva reached out to Microsoft about the bug. In their response, Microsoft downplayed the vulnerability, saying “[this flaw is] not something that we consider to be a security vulnerability that will be addressed in a security update.”
Rachwald and Imperva disagree. Citing XSSed.com, a site for public disclosures of XSS vulnerabilities, Rachwald claims there are sites listed that are currently experiencing XSS attacks stemming from the coding error in question and affecting only IE users.