Microsoft to fix IE XSS filter flaw in June

security

Another flaw in the cross site scripting (XSS) filter in Internet Explorer 8 will be patched in June - the third time the IE security tool has needed a look-in since the beginning of this year.

The XSS flaw was revealed at the European Black Hat conference by researchers Eduardo Vela Nava and David Lindsay.

"Internet Explorer 8 introduced a new type of defense against cross-site scripting (XSS) attacks," the researchers wrote in a white paper. "The idea was to build filters into the browser which can detect and prevent certain types of malicious XSS attacks."

They noted that most XSS prevention is done on the server side, making Microsoft's method a "novel approach" - and one that other browsers are starting to copy.

Microsoft security engineer David Ross said the flaw was previously disclosed, with vulnerabilities in IE8's XSS system fixed in an update in January and again in March.

Another update will be released in June. "This change will address a SCRIPT tag attack scenario described in the Blackhat EU presentation," Ross said in a blog post.

"This issue manifests when malicious script can 'break out' from within a construct that is already within an existing script block," he added.

Ross said that while the flaw fixed in January was seen on "high-profile web sites", instances of the second style of attack have "been hard to come by."

"Overall we maintain that it's important to use a browser with an XSS filter, as the benefits of protection from a large class of attacks outweigh the potential risks from vulnerabilities in most cases," he added.