Oh the irony! Internet Explorer’s XSS filter, which was designed to prevent cross-site scripting attacks, can be exploited to carry out attacks that wouldn’t have been possible otherwise.
XSS or cross-site scripting is a type of vulnerability that allows malicious attackers to inject client-side script into web pages. A successful XSS attack can even allow the attacker to gain unrestricted access to the user’s personal profile and other sensitive information.
The IE8 XSS Filter vulnerability affects almost every website that lets users create profiles. Google.com, Wikipedia.org and Twitter.com are some of the high profile sites, which are affected by this attack.
According to Jerry Bryant, a spokesman for Microsoft’s security response team, most of the problems were fixed in the MS10-002 security patch, which was issued earlier this year. MS10-018 cumulative security update for Internet Explorer made further changes to the XSS filter to reduce the security implications. However, not all of the issues have been fixed. Some websites like Google have begun to proactively disable the XSS filter. Until the issue is completely taken care of by Microsoft, regular Internet Explorer users may be better served by switching to an alternate browser.