IE 8 XSS Vulnerability To Get Fixed in June

Microsoft is preparing a security update in June for the IE XSS filter in Internet Explorer 8.

The update will address a flaw in IE 8 that could enable cross-site scripting (XSS) attacks by hackers. Security Response Center spokesman David Ross said last week in this blog post that the change will address the "script tag attack scenario" that was described at a Blackhat Europe presentation earlier this month.

At that conference, security researchers David Lindsay and Eduardo Vela Nava presented their findings on how the IE 8 XSS filter could be abused, resulting in universal cross-site scripting (UXSS) attacks.

Security experts and Microsoft's Ross explained that unlike traditional XSS attacks that require the vulnerability to exist on a specific infected Web site, UXSS attacks target vulnerabilities in client applications, such as browsers, browser plugins, and PDF readers.

"This issue manifests when malicious script can "break out" from within a construct that is already within an existing script block," wrote Ross. He added that while the issue was preliminarily identified and addressed in a January patch of the browser (MS10-002), the new real-world example of UXSS is prompting Microsoft to prep a new patch for June.

Chenxi Wang, security and risk management analyst at Forrester Research, said this vulnerability is brought on when the XSS filter incorrectly disables certain Hypertext Mark-up Language (HTML) attributes. Consequently, it becomes possible for a specially crafted Web page to be loaded, allowing an attacker to execute scripts in a user's browser.

"This mistake made by the cross-site scripting filter in IE actually caused a cross-site scripting error to occur," she said. "This is interesting, because the mission of the XSS filter is to prevent this type of error to happen, but in effect it actually caused an additional XSS attack."

Joshua Talbot, security intelligence manager at Symantec Security Response, added that such an attack requires a multifaceted and sophisticated method of incursion.

"First, they would have to find a suitable target Web site that allows users to publish content, such as a social networking site," he said. "Second, they would have to lure the victim to this page by clicking a specially crafted link. Finally, they would have to have the victim follow the link with a vulnerable Web browser."

Talbot added that with the increasing reliance on browsers and Web sites for banking and communication, UXSS vulnerabilities will become increasingly useful and valuable to attackers.

The researchers who found this security hole worked directly with Microsoft, according to both Wang and Talbot. Microsoft subsequently released its initial update in January and again in March (MS10-018).

Security experts applauded the prospect of a more substantive fix release in the early summer. Microsoft's David Ross said that the company looks "forward to continuing to improve the Internet Explorer XSS Filter going forward to address new attack scenarios and the evolving threat landscape."

"Like many security issues--take malware as an example--attack vectors are always a moving target," Ross wrote. "The role of the browser maker is to do everything we can to keep people safe without them having to do a lot of extra work."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • Case Systems makerspace

    Case Systems Launches Line of K–12 Makerspace Installations

    Case Systems recently announced the launch of SALTO, a line of classroom fixtures and installations for K–12 learning spaces like STEM labs, art rooms, and makerspaces. The product line is designed to provide teachers with flexibility and adaptability, enabling them to shift between collaborative and individual learning environments.

  • An elementary school teacher and young students interact with floating holographic screens displaying colorful charts and playful data visualizations in a minimalist classroom setting

    New AI Collaborative to Explore Use of Artificial Intelligence to Improve Teaching and Learning

    Education-focused nonprofits Leading Educators and The Learning Accelerator have partnered to launch the School Teams AI Collaborative, a yearlong pilot initiative that will convene school teams, educators, and thought leaders to explore ways that artificial intelligence can enhance instruction.

  • A top-down view of a person walking through a maze with walls made of glowing blue Wi-Fi symbols on dark pathways

    Navigating New E-Rate Rules for WiFi Hotspots

    Beginning in funding year 2025, WiFi hotspots will be eligible for E-rate Category One discounts. Here's what you need to know about your school's eligibility, funding caps, tracking requirements, and more.

  • futuristic VR goggles with blue LED accents, placed in front of a fantastical landscape featuring glowing hills, a shimmering river, and floating islands under a twilight sky

    Los Angeles Unified School District Adopts VR Learning Platform, Resources

    Los Angeles Unified School District (LAUSD) recently announced a partnership with Avantis Education to bring educational virtual and augmented reality (VR/AR) solution ClassVR to its students. A news release reports that the district has already deployed more than 16,000 ClassVR headsets as part of the Los Angeles Unified Instructional Technology Initiative.