Microsoft slates June update to block IE8 abuse

Reacts to Black Hat disclosure of potential manipulation of IE8's cross-site scripting filter

By , Computerworld |  Security, IE8

Microsoft plans to update Internet Explorer 8 (IE8) in June to stymie attacks that could turn the browser's cross-site scripting filter against Web sites, the company's security team said yesterday.

Microsoft's move was prompted by a presentation last week at Black Hat Europe, where researchers Eduardo Vela Nava and David Lindsay showed how IE8's cross-site scripting filter -- an anti-malware feature that debuted in a beta of the browser last year -- could be used by hackers to launch attacks against sites that would normally be immune. Among the sites that could be abused: Microsoft's own Bing search engine, Digg, Google , Twitter , Wikipedia and "many many more," they said.

IE8 uses what Vela Nava and Lindsay called a "neutering" technique to quash attempted cross-site scripting attacks. The problem is that attackers can manipulate the mechanism for their own purposes. "An attacker may exploit this behavior in order to prevent client-side security functionality from working," said the pair in a paper they published along with their Black Hat presentation ( download PDF ). "[And] in certain cases [this] can lead to XSS that wouldn't otherwise be possible."

Although Microsoft has dealt with some of the attack scenarios spelled out by Vela Nava and Lindsay in a pair of earlier IE updates -- the January and March emergency updates MS10-002 and MS10-018 -- yesterday the company said it would issue a cross-site scripting filter update to block another possible vector.

"This change will address a SCRIPT tag attack scenario described in the BlackHat EU presentation," said David Ross, an engineer with the Microsoft Security Response Center (MSRC), in an entry on the group's blog . "This issue manifests when malicious script can 'break out' from within a construct that is already within an existing script block."

Unlike security patches, IE8's cross-site scripting filters are typically updated on-the-fly and in the background, but Microsoft's scheduled this fix for June, rather than immediately, to give the company time for testing, a spokeswoman said today.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question