back to article Microsoft fortifies IE8 against new XSS exploits

Engineers in Microsoft's Internet Explorer group continue to refine a new security feature designed to block malicious scripts that can be injected into trusted websites to steal email and account credentials. Judging from the magnitude of the problem, their task may never be completed. Among the multitude of revisions …

COMMENTS

This topic is closed for new posts.
  1. Deadly_NZ

    Oh God yet more patches for IE

    There is only one way to stop these bugs getting in disable IE in set program access and defaults and use FireFox or similar with No script and other addons

  2. Sooty

    it'd be nice if...

    IE just blocked all xss. noscript does it for me now, but there are a few things which absolutely insist on me violating all security principles and allowing it. firefox and noscript just don't have the market penetration to force people to change!

    Ironically the majority are banks with their 'security' around card purchases, it's soooo secure to enter private card info into an iframe, running masses of javascript, embedded from a site you've never heard of, into a standard e-commerce site!

  3. Anonymous Coward
    Flame

    @Scooty

    I agree, its the only way. XSS is the vulnerability. Close it now.

  4. Anonymous Coward
    Unhappy

    XSS isn't a trivial issue

    Unfortunately blocking XSS is far from trivial (take a look at the ha.ckers.org link in the story). If a site includes html content from an untrusted source (obvious example being webmail) and runs Javascipt then given enough time to piece together the workings of the site malicious content can be created sometimes with no obvious marker as XSS (trivial example being the inclusion of images called from a malicious webhost with the document.cookie etc which can be read from the attackers httpd logs and an automated session capture implemented).

    There are better (and more twisted) minds than mine trying to find new holes in JS and they will. Javascript itself is the issue and it needs a total redesign with variable scoping stricter permissions on access to functions and other goodness that is needed in a language that has to work in a hostile network.

    I don't believe a browser can ever succeed in implementing a Javascript interpreter correctly and being secure, but that's just my opinion obviously.

  5. Anonymous Coward
    Thumb Down

    Sounds familiar

    "...its design is likely to remain an iterative, ongoing process with plenty of additional tweaks to come."

    Where have we heard that before? Not from MS, surely?

    How long until SP1 is released?

    How long until SP2?

    How long until anyone with half a brain just gives up and uses FireFox instead?

  6. Chris

    Too much headache for average users

    I use NoScript, but I would never dare install on "average users" PC's because I know I will only get more phone calls and I can't be bothered to explain what to do. You might think it would be good in an office, where you can do group 5 minute lessons to people for the sake of that bit of extra security, but I just about manage to install Anti-Virus, Anti-Spyware and FireWalls's on peoples PC's and even then I get them asking questions so NoScript...no thanks

  7. Whitter
    Flame

    XSS should be on a "need to use" basis

    "The ability of one site to link to code hosted on another site is a key architectural design at the heart of today's website"

    It's an ability that is far overused, much like using flash when html + css would have done just as well. It is rarely the consumer who's needs are addressed by these trends in web design: rather, it's what is easiest to code or looks 'coolest' to the marketing monkeys.

This topic is closed for new posts.

Other stories you might like