Another flaw in the cross site scripting (XSS) filter in Internet Explorer 8 will be patched in June - the third time the IE security tool has needed a look-in since the beginning of this year.
The XSS flaw was revealed at the European Black Hat conference by researchers Eduardo Vela Nava and David Lindsay.
"Internet Explorer 8 introduced a new type of defense against cross-site scripting (XSS) attacks," the researchers wrote in a white paper. "The idea was to build filters into the browser which can detect and prevent certain types of malicious XSS attacks."
They noted that most XSS prevention is done on the server side, making Microsoft's method a "novel approach" - and one that other browsers are starting to copy.
Microsoft security engineer David Ross said the flaw was previously disclosed, with vulnerabilities in IE8's XSS system fixed in an update in January and again in March.
Another update will be released in June. "This change will address a SCRIPT tag attack scenario described in the Blackhat EU presentation," Ross said in a blog post.
"This issue manifests when malicious script can 'break out' from within a construct that is already within an existing script block," he added.
Ross said that while the flaw fixed in January was seen on "high-profile web sites", instances of the second style of attack have "been hard to come by."
"Overall we maintain that it's important to use a browser with an XSS filter, as the benefits of protection from a large class of attacks outweigh the potential risks from vulnerabilities in most cases," he added.
-
LaunchDarkly to "double down" on observability with Highlight acquisitionNews Highlight's observability tools will be integrated into LaunchDarkly's Guarded Releases software deployment service
-
Samsung Galaxy Tab S10 FE reviewReviews The Tab S10 FE retains the feel and core capabilities of Samsung's high-end S10 tablets, but compromises on the display and the performance
-
What is cross-site scripting (XSS)?In-depth How XSS exploits work and how to defend against them
-
Hackers infiltrated analytics platform used by 2m sites to syphon Bitcoin from gate.ioNews “Supply-chain attack” saw more than 680,000 sites actively infected but the code only specified an address used by gate.io
-
Vulnerabilities in web applications at the heart of 73% of breaches, Kaspersky findsNews Pen test analysis finds 43% of companies have low or extremely low levels of security
-
Researchers warn of nine vulnerabilities in Dell EMC's Isilon platformNews The company's OneFS storage OS is vulnerable to cross-site request forgeries and privilege escalation
-
Cross-scripting flaws patched in Adobe app softwareNews Adobe said that this time criminals haven’t had the time to take advantage of the vulnerabilities.
-
Python XSS flaw left Google open to attackersNews A security researcher reveals how a scripting flaw left many Google services open to an attacker.
