14 DAY TRIAL // Gambit, the hacker that recently identified some serious XSS vulnerabilities in sites such as Edmodo and HP, confronted Microsoft regarding the lack of cross-site scripting (XSS) filters in the MSN Explorer browser.
MSN Explorer is a browser, similar to Internet Explorer, which integrates some features like Windows Live Hotmail and Windows Live Messenger, the latest variant being released in August 2011.
The hacker contacted Microsoft representatives to reveal his concerns regarding the lack of XSS filters, a fact that he considers to be a security hole.
“I saw the MSN browser icon the other day and decided to see if it was like IE, if it had an XSS filter. With a quick check I found it to be vulnerable to XSS. I contacted Microsoft about it,” Gambit explained.
“They had me update my IE to 8 and when I asked why, I was met with the response of 'MSN explorer is essentially a branded version of IE and so it’s likely that if MSHTML is updated to the IE8 version, which is the first version that incorporated the XSS filter, that the MSN explorer may also then have the XSS filter.'”
Much to the security expert’s surprise, the XSS filter was missing.
“It had no XSS filter and when I informed them of this, they told me, 'The lack of an XSS filter is not considered a security vulnerability in the browser.'”
But Microsoft’s response didn’t satisfy the hacker, mainly because he’s highly aware of the numerous threats posed by the presence of XSS flaws.
“Now tell me... If the lack of a XSS filter IS NOT a security vulnerability, why was it so important to have one in the IE browser, why does Google pay people for finding a hole in their XSS filter in Chrome?” he concluded.
It may be true that the lack of XSS filters is not what can be called a vulnerability in the true sense, but it certainly offers cybercrooks a lot of opportunities. This is why we have asked Microsoft representatives to state their opinion regarding the issue and we’ll update the post as soon as we hear from them.
Update. Microsoft responded to our inquiry and through a spokesperson told us the following:
We are looking into this and will take the necessary steps to protect our customers. People can further protect their systems and improve their basic computer hygiene by enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software.
Additional information can be found at microsoft.com/security/pc-security/protect-pc.aspx
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1