I would like to add something here... Every user need to harden their browser in-order to protect self from all the possible client-side attacks.
Lets be Proactive; before being a victim and waiting for a solution. Regards, 0xN41K On May 26, 7:30 pm, Sandeep Thakur <[email protected]> wrote: > Microsoft is preparing a security update in June for the IE XSS filter in > Internet Explorer 8. > The update will address a flaw in IE 8 that could enable cross-site > scripting (XSS) attacks by hackers. Security Response Center spokesman David > Ross said last week in this blog post that the change will address the > "script tag attack scenario" that was described at a Blackhat Europe > presentation earlier this month. > > At that conference, security researchers David Lindsay and Eduardo Vela Nava > presented their findings on how the IE 8 XSS filter could be abused, > resulting in universal cross-site scripting (UXSS) attacks. > > Security experts and Microsoft's Ross explained that unlike traditional XSS > attacks that require the vulnerability to exist on a specific infected Web > site, UXSS attacks target vulnerabilities in client applications, such as > browsers, browser plug-ins and PDF readers. > > "This issue manifests when malicious script can "break out" from within a > construct that is already within an existing script block," wrote Ross. He > added that while the issue was preliminarily identified and addressed in a > January patch of the browser > (MS10-002<http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx>), > the new real-world example of UXSS is prompting Microsoft to prep a new > patch for June. > > Chenxi Wang, security and risk management analyst at Forrester Research, > said this vulnerability is brought on when the XSS filter incorrectly > disables certain Hypertext Mark-up Language (HTML) attributes. Consequently, > it becomes possible for a specially crafted Web page to be loaded, allowing > an attacker to execute scripts in a user's browser. > > "This mistake made by the cross-site scripting filter in IE actually caused > a cross-site scripting error to occur," she said. "This is interesting, > because the mission of the XSS filter is to prevent this type of error to > happen, but in effect it actually caused an additional XSS attack." > > Joshua Talbot, security intelligence manager at Symantec Security Response, > added that such an attack requires a multifaceted and sophisticated method > of incursion. > > "First, they would have to find a suitable target Web site that allows users > to publish content, such as a social networking site," he said. "Second, > they would have to lure the victim to this page by clicking a specially > crafted link. Finally, they would have to have the victim follow the link > with a vulnerable Web browser." > > Talbot added that with the increasing reliance on browsers and Web sites for > banking and communication, UXSS vulnerabilities will become increasingly > useful and valuable to attackers. > > Fortunately, the researchers who found this security hole worked directly > with Microsoft, according to both Wang and Talbot. Microsoft subsequently > released its initial update in January and again in March > (MS10-018<http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx>). > > Security experts applaud the prospect of a more substantive fix release in > the early summer. Microsoft's David Ross said that the company looks > "forward to continuing to improve the Internet Explorer XSS Filter going > forward to address new attack scenarios and the evolving threat landscape." > > "Like many security issues -- take malware as an example -- attack vectors > are always a moving target," Ross wrote. "The role of the browser maker is > to do everything we can to keep people safe without them having to do a lot > of extra work." -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
