Microsoft to fix IE XSS filter flaw in June
Microsoft will fully patch the flaw in June, after it was disclosed at the European Black Hat conference.
Another flaw in the cross site scripting (XSS) filter in Internet Explorer 8 will be patched in June - the third time the IE security tool has needed a look-in since the beginning of this year.
The XSS flaw was revealed at the European Black Hat conference by researchers Eduardo Vela Nava and David Lindsay.
"Internet Explorer 8 introduced a new type of defense against cross-site scripting (XSS) attacks," the researchers wrote in a white paper. "The idea was to build filters into the browser which can detect and prevent certain types of malicious XSS attacks."
They noted that most XSS prevention is done on the server side, making Microsoft's method a "novel approach" - and one that other browsers are starting to copy.
Microsoft security engineer David Ross said the flaw was previously disclosed, with vulnerabilities in IE8's XSS system fixed in an update in January and again in March.
Another update will be released in June. "This change will address a SCRIPT tag attack scenario described in the Blackhat EU presentation," Ross said in a blog post.
"This issue manifests when malicious script can 'break out' from within a construct that is already within an existing script block," he added.
Ross said that while the flaw fixed in January was seen on "high-profile web sites", instances of the second style of attack have "been hard to come by."
"Overall we maintain that it's important to use a browser with an XSS filter, as the benefits of protection from a large class of attacks outweigh the potential risks from vulnerabilities in most cases," he added.
The case for a marketing content hub
Transform your digital marketing to deliver customer expectationsDownload now
Fast, flexible and compliant e-signatures for global businesses
Be at the forefront of digital transformation with electronic signaturesDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now
IT faces new security challenges in the wake of COVID-19
Beat the crisis by learning how to secure your networkDownload now