Microsoft to fix IE XSS filter flaw in June

Microsoft will fully patch the flaw in June, after it was disclosed at the European Black Hat conference.

security

Another flaw in the cross site scripting (XSS) filter in Internet Explorer 8 will be patched in June - the third time the IE security tool has needed a look-in since the beginning of this year.

The XSS flaw was revealed at the European Black Hat conference by researchers Eduardo Vela Nava and David Lindsay.

Advertisement - Article continues below

"Internet Explorer 8 introduced a new type of defense against cross-site scripting (XSS) attacks," the researchers wrote in a white paper. "The idea was to build filters into the browser which can detect and prevent certain types of malicious XSS attacks."

They noted that most XSS prevention is done on the server side, making Microsoft's method a "novel approach" - and one that other browsers are starting to copy.

Microsoft security engineer David Ross said the flaw was previously disclosed, with vulnerabilities in IE8's XSS system fixed in an update in January and again in March.

Another update will be released in June. "This change will address a SCRIPT tag attack scenario described in the Blackhat EU presentation," Ross said in a blog post.

"This issue manifests when malicious script can 'break out' from within a construct that is already within an existing script block," he added.

Advertisement
Advertisement - Article continues below

Ross said that while the flaw fixed in January was seen on "high-profile web sites", instances of the second style of attack have "been hard to come by."

"Overall we maintain that it's important to use a browser with an XSS filter, as the benefits of protection from a large class of attacks outweigh the potential risks from vulnerabilities in most cases," he added.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Visit/server-storage/network-attached-storage-nas/355849/western-digital-sneaked-inferior-smr-tech-into
network attached storage (NAS)

Western Digital accused of sneaking inferior SMR tech into NAS drives

1 Jun 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020