Microsoft Corp. plans to update Internet Explorer 8 (IE8) in June to stymie attacks that could turn the browser’s cross-site scripting filter against Web sites, the company’s security team said yesterday.
Microsoft’s move was prompted by a presentation last week at Black Hat Europe, where researchers Eduardo Vela Nava and David Lindsay showed how IE8’s cross-site scripting filter — an anti-malware feature that debuted in a beta of the browser last year — could be used by hackers to launch attacks against sites that would normally be immune. Among the sites that could be abused: Microsoft’s own Bing search engine, Digg, Google , Twitter , Wikipedia and “many many more,” they said.
IE8 uses what Vela Nava and Lindsay called a “neutering” technique to quash attempted cross-site scripting attacks. The problem is that attackers can manipulate the mechanism for their own purposes.
“An attacker may exploit this behavior in order to prevent client-side security functionality from working,” said the pair in a paper they published along with their Black Hat presentation. “[And] in certain cases [this] can lead to XSS that wouldn’t otherwise be possible.”
Although Microsoft has dealt with some of the attack scenarios spelled out by Vela Nava and Lindsay in a pair of earlier IE updates — the January and March emergency updates MS10-002 and MS10-018 — yesterday the company said it would issue a cross-site scripting filter update to block another possible vector.
“This change will address a SCRIPT tag attack scenario described in the BlackHat EU presentation,” said David Ross, an engineer with the Microsoft Security Response Center (MSRC), in an entry on the group’s blog . “This issue manifests when malicious script can ‘break out’ from within a construct that is already within an existing script block.”
Unlike security patches, IE8’s cross-site scripting filters are typically updated on-the-fly and in the background, but Microsoft’s scheduled this fix for June, rather than immediately, to give the company time for testing, a spokeswoman said today.
Other browsers, including Google’s Chrome, also offer cross-site scripting filtering. But according to Lindsay, Chrome users are not at risk to the same kind of abuse.
“Chrome’s neutering technique is to completely block [the] page,” said Lindsay in a direct message via Twitter. “This is preferred over modifying [the] response” as did Microsoft’s browser. “IE8 header now allows the same.”
Coincidentally, Google patched seven security vulnerabilities in the “stable” Windows version of Chrome earlier today, including two related to cross-site scripting .
