XSS Bug in IE8

The Register posted an article about a bug in Internet Explorer 8 that makes ’safe’ sites unsafe. Microsoft was notified by two Register sources a few months ago about the vulnerability.

“If the attacker can figure out a flaw in the way IE 8 is actually doing that output encoding and then create a specific string the attacker will know will be transformed into an actual attack, they could use that to input a value … that actually results in an attack firing on the page. This could be a way to introduce an attack into a page that didn’t have a vulnerability otherwise,” said Michael Coates of Aspect Security.

Source: The Register

Join 16,500+ other happy readers and subscribe to Technibbles Email Digest and receive new posts sent directly to your inbox. All new signups get a copy of our Computer Technicians Quick Reference Guide free. Signup Now!

Your Blogmaster is Lee
Lee is a computer enthusiast and technology writer.

Other Blog posts by Lee

Rob says:

November 20th, 2009 at 12:51 pm

This has got to be one of the ‘lamest’ security flaw articles. I can’t stand these articles that are all ‘fluff’ and ‘maybe’.

If the attacker can figure out a flaw in the way IE 8 is actually doing that output encoding…

Isn’t that the basis of ANY ATTACK! If the attacker could figure out a way to hack into a computer, they could take over the computer. Duh!

It’s almost as bad as the last one from Sophos about Windows7 UAC not protecting against most spyware. Duh…it’s not supposed too! You can’t protect everyone from spyware…most of them are just regular programs that ‘pretend’ to be legitimate. It’s like saying police should be able to capture everyone BEFORE they commit a crime.