Guidance on Internet Explorer XSS Filter

The XSS Filter related Blackhat EU presentation discussed a vulnerability that was previously disclosed and addressed in the January security update to Internet Explorer (MS10-002). This attack scenario involved modified HTTP responses, enabling XSS on sites that would not otherwise be vulnerable. 


An additional update to the IE XSS Filter is currently scheduled for release in June. This change will address a SCRIPT tag attack scenario described in the Blackhat EU presentation. This issue manifests when malicious script can “break out” from within a construct that is already within an existing script block.  While the issue identified and addressed in MS10-002 was identified to exist on high-profile web sites, thus far real-world examples of the SCRIPT tag neutering attack scenario have been hard to come by.


Like many security issues – take malware as an example – attack vectors are always a moving target.  The role of the browser maker is to do everything we can to keep people safe without them having to do a lot of extra work. 


In the case of the Internet Explorer XSS Filter, researchers found scenarios that are generally applicable across XSS filtering technologies in all currently shipping browsers with this technology built-in.  In January (MS10-002) and again in March  (MS10-018), we took steps to mitigate this threat class and we’ll take the next major step in the June timeframe.  Overall we maintain that it’s important to use a browser with an XSS Filter, as the benefits of protection from a large class of attacks outweigh the potential risks from vulnerabilities in most cases. 


We look forward to continuing to improve the Internet Explorer XSS Filter going forward to address new attack scenarios and the evolving threat landscape.


David Ross

MSRC Engineering


*This posting is provided “AS IS” with no warranties, and confers no rights*