14 DAY TRIAL // Microsoft plans to release and update to the Internet Explorer 8 XSS Filter that will further bulletproof the browser against attacks. The Redmond company already took measures to address an issue impacting the XSS Filter. In this regard, the January security update to Internet Explorer (MS10-002) was designed to resolve a vulnerability detailed at Blackhat EU. According to David Ross, MSRC Engineering, the software giant is now gearing up to take additional steps in order to protect customers.
A new “update to the IE XSS Filter is currently scheduled for release in June. This change will address a SCRIPT tag attack scenario described in the Blackhat EU presentation. This issue manifests when malicious script can ‘break out’ from within a construct that is already within an existing script block. While the issue identified and addressed in MS10-002 was identified to exist on high-profile web sites, thus far real-world examples of the SCRIPT tag neutering attack scenario have been hard to come by,” Ross explained.
The promise from the Redmond company is that additional work will be done in order for the Internet Explorer XSS Filter to continually improve. At the same time, Ross underlined that updating the browser was a task that Microsoft did looking to minimize the strain in terms of resources and effort for customers, as much as possible.
“In the case of the Internet Explorer XSS Filter, researchers found scenarios that are generally applicable across XSS filtering technologies in all currently shipping browsers with this technology built-in. In January (MS10-002) and again in March (MS10-018), we took steps to mitigate this threat class and we’ll take the next major step in the June timeframe. Overall we maintain that it’s important to use a browser with an XSS Filter, as the benefits of protection from a large class of attacks outweigh the potential risks from vulnerabilities in most cases,” Ross added.
The XSS Filter is a security feature added to Internet Explorer 8 in an effort by Microsoft to help secure the browser against attacks targeting Cross-Site Scripting (XSS) vulnerabilities. By exploiting an XSS hole, attackers can steal cookies, monitor keystrokes, and even masquerade as the victim on websites.
Internet Explorer 8 (IE8) RTW is available for download here (for 32-bit and 64-bit flavors of Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008). Internet Explorer 9 (IE9) Platform Preview is available for download here.