Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Internet Explorer XSS Filter Can Result in XSS Attack Against Immune Sites

Information Security can sometimes be a damned if you do, damned if you don't environment, where inaction is the wrong course, and any action taken also turns out to be the wrong course (or something very similar to it). The development and inclusion of Cross Site Scripting (XSS) filters into browsers initially seemed like a great thing. Surely they would cut down on the number and type of attacks against users resulting in a safer Internet for all. The filters didn't need to necessarily be continually updated to address the latest in XSS attacks, though updating and maintenance is critical. Provided that they addressed the most common and basic methods of attack, then they would neutralise many of the attacks doing the rounds.

If the history of antivirus software, in particular, and software in general identifies anything, it is that a great idea and good intentions will eventually be let down by poor or substandard implementation, and that security tools do need to be updated to remain relevant.

Recently disclosed research has identified a flaw with the XSS filter included with Internet Explorer 8 that allows for XSS attacks against sites that would otherwise not be vulnerable to that particular attack. Microsoft has responded that the issue isn't as severe as it seems, and that they are continually updating the filter to address the changing nature of XSS attack vectors.

Whether it is a severe problem or not, Microsoft is scheduled to release an update for this particular issue in June, but that has raised questions from some as to why Microsoft are waiting for so long to fix it now that it has been made public, given that one of the reasons Microsoft cited for delaying the fix was a lack of real world attacks using this particular vector, something that is likely to change with the public availability of the information.

22 April 2010

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.