Microsoft Fixes DOM XSS Flaw in Surface Domain After Being Notified by Expert

Security researcher Mirza Burhan Baig has been acknowledged for his work

By on December 18th, 2012 09:00 GMT

Independent security researcher Mirza Burhan Baig, who is currently working with blackbitz.net, has managed to identify a DOM-based cross-site scripting (XSS) vulnerability on Microsoft’s Surface webpage.

“Microsoft fixed that issue one day after I report it to them. I just emailed the details to their security department at secure@microsoft.com, then they gave me a case ID and a case manager who coordinated the fix with me,” the researcher told me in an email.

The researcher has provided several screenshots (available bellow) which demonstrate the existence of the security hole.

For his findings, Microsoft has listed him on the company’s “Security Researcher Acknowledgments for Microsoft Online Services” page.

DOM-based XSS is an attack in which the payload is executed as a result of modifications made to the DOM environment, which make the client-side code to be executed in an “unexpected” manner.

The targeted page isn’t changed in these attacks, but the client-side code contained in the page is run differently because of the malicious modifications.

Vulnerability on Microsoft's Surface page (5 Images)

Gallery Image
01
Gallery Image
02
Gallery Image
03
Gallery Image
04
Gallery Image
05

Comments