Microsoft plans to update Internet Explorer 8 (IE8) in June to stymie attacks that could turn the browser's cross-site scripting filter against Web sites, the company's security team said yesterday.
Microsoft's move was prompted by a presentation last week at Black Hat Europe, where researchers Eduardo Vela Nava and David Lindsay showed how IE8's cross-site scripting filter -- an anti-malware feature that debuted in a beta of the browser last year -- could be used by hackers to launch attacks against sites that would normally be immune. Among the sites that could be abused: Microsoft's own Bing search engine, Digg,
Google,
Twitter, Wikipedia and "many many more," they said.
IE8 uses what Vela Nava and Lindsay called a "neutering" technique to quash attempted cross-site scripting attacks. The problem is that attackers can manipulate the mechanism for their own purposes. "An attacker may exploit this behavior in order to prevent client-side security functionality from working," said the pair in a paper they published along with their Black Hat presentation (
download PDF). "[And] in certain cases [this] can lead to XSS that wouldn't otherwise be possible."