Microsoft slates June update to block IE8 abuse

Microsoft plans to update Internet Explorer 8 (IE8) in June to stymie attacks that could turn the browser's cross-site scripting filter against Web sites, the company's security team said yesterday.

Microsoft's move was prompted by a presentation last week at Black Hat Europe, where researchers Eduardo Vela Nava and David Lindsay showed how IE8's cross-site scripting filter -- an anti-malware feature that debuted in a beta of the browser last year -- could be used by hackers to launch attacks against sites that would normally be immune. Among the sites that could be abused: Microsoft's own Bing search engine, Digg, Google , Twitter , Wikipedia and "many many more," they said.

IE8 uses what Vela Nava and Lindsay called a "neutering" technique to quash attempted cross-site scripting attacks. The problem is that attackers can manipulate the mechanism for their own purposes. "An attacker may exploit this behavior in order to prevent client-side security functionality from working," said the pair in a paper they published along with their Black Hat presentation ( download PDF ). "[And] in certain cases [this] can lead to XSS that wouldn't otherwise be possible."

Although Microsoft has dealt with some of the attack scenarios spelled out by Vela Nava and Lindsay in a pair of earlier IE updates -- the January and March emergency updates MS10-002 and MS10-018 -- yesterday the company said it would issue a cross-site scripting filter update to block another possible vector.

"This change will address a SCRIPT tag attack scenario described in the BlackHat EU presentation," said David Ross, an engineer with the Microsoft Security Response Center (MSRC), in an entry on the group's blog . "This issue manifests when malicious script can 'break out' from within a construct that is already within an existing script block."

Unlike security patches, IE8's cross-site scripting filters are typically updated on-the-fly and in the background, but Microsoft's scheduled this fix for June, rather than immediately, to give the company time for testing, a spokeswoman said today.

Other browsers, including Google's Chrome, also offer cross-site scripting filtering . But according to Lindsay, Chrome users are not at risk to the same kind of abuse.

"Chrome's neutering technique is to completely block [the] page," said Lindsay in a direct message via Twitter. "This is preferred over modifying [the] response" as did Microsoft's browser. "IE8 header now allows the same."

Coincidentally, Google patched seven security vulnerabilities in the "stable" Windows version of Chrome earlier today, including two related to cross-site scripting .

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Knowledge Center.