Internet Explorer 8 : A protection feature which generates security problems
November 26th, 2009 - 10:13 am ET by J. G.
The XSS attack protection present in Internet Explorer 8 contains vulnerabilities which makes safe sites… unsafe.
Well known for having developed the NoScript extension for Firefox, Giorgio Maone has ironically pointed out a situation which Microsoft will surely not be laughing about. In the latest version of their Web browser, Microsoft introduced a new protection layer, with the Cross Site Scripting filter blocking scripts which have the aim of bringing down your computers protection, with these attacks also being known as XSS attacks.
According to Microsoft’s explanations, the XSS filter in Internet Explorer 8 can prevent a Web site from running a script from another site. Typically the execution of these kinds of scripts is done through the URL settings, a message posted on a forum or random code added to a web page being treated by the browser. If the settings aren’t verified, there is an XSS fault. These kinds of attacks have the aim of collecting confidential information and then spreading it via a cookie while you browse.
The IE8 XSS filter watches the interaction between sites, and in the event that a potential attack is detected it blocks the script code from executing. If this occurs, the user will see a message box displayed: "Internet Explorer has modified this page to prevent a site to site script".
A problem can be seen with IE8 XSS filter on sites which would normally not be vulnerable, with it being possible to exploit the filter to allow XSS attacks. This is the issue that Giorgio Maone pointed out, while also stating that this is a problem that has been well known to security hunters for a long time, with Microsoft having already been warned. Fortunately, while full disclosure hasn’t been made at this time, it appears that Microsoft has nevertheless published corrective measures which have been partially accepted.
A spokesman for Google confirmed to The Register that an important fault exists in the way IE8 works, although he didn’t provide details. While awaiting a corrective patch, Google has already started to implement security measures so that their sites can’t be used for this kind of attack, by blocking the IE8 XSS protection filter. This can be done by adding an in header answer of " X-XSS-Protection: 0 " as stated by Microsoft.
Besides the introduction of this vulnerability, the IE8 XSS filter also displays some annoying false positives.