14 DAY TRIAL // A flaw currently present in Internet Explorer (IE) could be exploited by hackers and used to launch cross-site scripting (XSS) attacks, due to the way double quotes (“) are encoded by the web browser.
IMPERVA researchers found the vulnerability and contacted Microsoft, but the Redmond company doesn’t see it as a security vulnerability.
“The behavior you are describing is something that we are aware of and are evaluating for changes in future versions of IE, however it's not something that we consider to be a security vulnerability that will be addressed in a security update,” said a Microsoft representative regarding the issue.
On the other hand IMPERVA experts reveal that XSSed, a website that publicly discloses XSS vulnerabilities, reported a number of attacks that only affect IE users due to this encoding bug.
So what is this bug exactly?
Because IE doesn’t encode double quote characters in the query part of the uniform resource identifier (URI), websites that support the browser may assume that it's properly encoded and embed the URI in the request “as is” in the HTML response.
But since they’re not properly encoded, this may break the site’s structure and allow a hacker to launch an XSS attack.
RFC 3986, the Internet standard that defines the URI syntax, states that characters such as the double quote should be “pct-encoded”, a policy that's implemented in other web browsers such as Chrome or Firefox.
Internet Explorer only encodes the problematic character in the path part or the URI and not the query section. Considering that many websites are designed in a way to let the browser do the encoding, the HTML may be broken and used by the hacker to launch what is called a reflected XSS attack by convincing the victim to click on a malicious link.