New XSS vulnerability in IE


Just a quick paste of a comment on the Microsoft Security Response Center blog addressing the recent questions around the XSS issue we are investigating –

We’ve received some questions regarding a reported cross-site scripting (XSS) issue affecting Internet Explorer.  Google Desktop was used in a proof of concept to demonstrate how, in some cases, this issue could allow an attacker to obtain sensitive information. 

This issue may be a bit confusing because it is not really an XSS issue.  A better way to describe it might be to call it “cross-site information disclosure”.

Our investigation indicates that this issue will have limited impact because an effective attack requires a website to expose sensitive information in a specific way.  Basically, an attacker would need to find a way to make a response look like a Cascading Style Sheet, and that response would need to contain sensitive information.

Google has done a good thing for the protection of our mutual customers by mitigating the issue on their servers.  We think that is great.  The underlying cross-site issue still exists within IE and I want to reassure you that we are investigating the root cause of this issue.  Once the investigation is complete we’ll take appropriate action for our customers which may include fixing this in a future security update for IE.

 – Jeremy Dallman

Comments (32)

  1. Anonymous says:

    Only IE? and firefox?

  2. Anonymous says:

    Maybe if you opened up the source code, more people can investigate it and it can be fixed easier, and also be promoted and ported to other operating systems and archtectures.

  3. Anonymous says:

    Somewhere along the lines people got the idea that open source is the solution to all bugs and security issues. Speaking as a true open source supporter (every program I’ve ever written has been open source) I want to be clear: THIS IS FALSE! Open source can create more problems than it solves.

  4. Anonymous says:

    moopen, how many people do you know that have the time or the paitence to read possibly millions of lines of code, line by line, and who can understand every single line and find conflictions and errors in them? Out of everyone I know, no one would do that. Heck, Firefox is open source, when was the last time you and your friends sat down and went through it line by line? I think I’ve made my point.

    -JC

  5. Anonymous says:

    >> Open source can create more problems than it solves.

    True. Especially when you find yourself downloading a million extensions and continually configuring manual workarounds to fix blatant bugs instead of the author fixing the real issue. Mozilla does not give as much a damn as Microsoft, or MS gives more of a damn than Mozilla. I would probably choose the latter.

    Let’s not forget that people continually post 0day exploit code for IE/MS products in general while for Mozilla and many others they decide to disclose any details long after the developer fixed their gaping holes in the next release. Everything would have been fine and dandy regarding the window() exploit if some pompous jack@$$ didn’t decide to disclose exploit code enabling hundreds of people to screw a very big majority of the browser market.

  6. Anonymous says:

    Gabriel Resende: Only Internet Explorer.

    Jason Cox: not *everyone* has to be able to look through the source code, but a large number of people can, and do. However, you are right. Open Source is about freedom, not about security. Take, for example, Opera, which is closed source but has a decent security record, same with Safari IIRC.

    In think the reason IE has such a poor security record is that Microsoft has been more interested in providing non-standard features, like Active-X. Also IE has been largely neglected for the past 5 years.

  7. Anonymous says:

    "Mozilla does not give as much a damn as Microsoft"

    The last time Microsoft released broser update was around 5 years ago. That’s a long time – a really long time. 5 years ago I was still trying to ‘download teh intarweb’. (well, not that bad, but pretty close). 5 years ago, everyone I knew still used window 98, 95, or 3.1. That’s a long time.

    As for this XSS bug. I’ve known about it for at least a couple of days already. MS, has just responded it, and there’s not even a patch! There’s something wrong here.

  8. Anonymous says:

    It’s incredible, every single post leads to a discussion whether open source or microsoft is better.

    Folks, if you like opensource: STAY WITH IT, GO AWAY FROM THIS BLOG, USE FIREFOX, USE OPERA but please leave this blog for useful information.

    Just one thing to Microsoft developer, could you please integrate the "X" to close tabs on the actual tab. On large screens with several tabs open this is very useful.

  9. Anonymous says:

    "Folks, if you like opensource: STAY WITH IT, GO AWAY FROM THIS BLOG, USE FIREFOX, USE OPERA but please leave this blog for useful information."

    Those of us who actually develop for the web aren’t going to ever go back to IE after the burn we’ve got from it over the years, but we still need it to work properly so as not to deprive Fanboys like you of access to sites we develop.

    This post goes directly to the quality of the browser. Do you think that IE7 would have any of the great features it will support without these debates? Just in case you’re wondering, the answer is ‘no’. There’s a serious philosophical debate going on right now about the nature of software as property, and it will, ultimately, generate competition and innovation. Why stifle it?

  10. Anonymous says:

    Nothing against your discussions, which might for any reason improve the quality of a product. However, are these discussions really necessary to be addressed for EVERY single post about ANY topic? The answer must be NO.

    As a web developer you are not "just make it work" for Fanboys like me, you are satisfying the market need (=me and other IE users).

    Discussions are useful, however, not when they result in a war of religion being it MS or OpenSource.

  11. Anonymous says:

    I just think that microsoft seems more concerned about there buisness relationships with there partners than the actuall users and consumers in the product. Its quite appereant, that as soon as mozilla products started to become more popular, microsoft is/was fearing that companies are going to chose firefox or another operating system for there deployments. That is why all of the sudden MS is rolling out updates. The truth is, there would be no IE7 if it wern’t for firefox, and the consumers and user of ie6 would still be stuck on the same technology because MS wouldn’t feel they would need to upgrade it.

  12. Anonymous says:

    Guys and Dolls! This is a blog is about XSS, who cares whether MS or firefox is the best browser, IN THIS BLOG! This blog is about XSS!

    Take your war of words to another domain. Maybe MS should open an IE vs Firefox forum?

    PS Interesting reading though.

  13. Anonymous says:

    yopey-

    I have a hard time believing Vista was orignally going to include IE6 until Firefox came about.

  14. Anonymous says:

    Guys, please…

    @Soppen: you should have already read that the UI is in development… it is a Beta.. or Alpha UI… the core is much more important than the simple User Interface first.

    About the MSIE vs. Mozilla vs. Opera "battle". Isn’t it allowed to let people choose their browsers? I personally use Firefox most of the time (even at this moment) but I also use Internet Explorer and Opera… all of them are no bad browsers.. OK, the Internet Explorer might have the core engine with lowest web standard support nowadays.. and no tabbed browsing. But the core engine is good.. DHTML, CSS menus work with it.. you can even fix position:fixed with some CSS tricks. So it is still a browser people can work with.

    About the security: yes, people try exploiting browsers all the time.. but for closed source programs this is ahrder than for Open Source. If you know C/C++ and XUL you could search the Gecko (Firefox) core for vulneribilites.. for IE you have to hack assembler code or simply try around. About the thing with really fixing or work-arounds: in my eyes if the developers know an issue and fix it within hours/minutes by doing a quick work-around it is OK.. and during the main development they try replacing the work-around with a real fix.. this is how programming works.. if someone tells me about a bug in my programs.. i make a quick-workaround for it if I do not see it immediately.. and then during the running development I try fixing it.

  15. Anonymous says:

    You are right, for all, who do not know, how to find those forums, I added the links at the bottom, go there, please, and glorify your browser there, instead of hijacking this blog. Thank you.

    http://forums.mozillazine.org

    http://my.opera.com/community/forums

  16. Bruce Morgan [MSFT] says:

    Sorry, Geoff – the only posts we delete are ones that violate our posting guidelines, and offtopic isn’t one of them:

    1. Offensive or abusive language or behavior 2. Misrepresentation (i.e., claiming to be somebody you’re not) – if you don’t want to use your real name, that’s fine, as long as your "handle" isn’t offensive, abusive, or misrepresentative

    3. Blog-spam of any kind

    Several thousand comments have been made within these guidelines. People pretty much have to really try to get their post deleted.

  17. Anonymous says:

    "Once the investigation is complete we’ll take appropriate action for our customers which may include fixing this in a future security update for IE."

    May? May??

  18. Anonymous says:

    > ported to other operating systems and archtectures

    moopen: You seem to forget that this is something Microsoft will do anything to avoid. IE is a loss leader, just like the iPod, which is used to promote the use of Windows (and in practical terms, x86, since all the other architectures have long since been killed off) . The difference between IE and the iPod, of course, is that Microsoft has been convicted in competent courts in multiple jurisdictions of engaging in illegal monopoly tactics and deceptive trade practices to ensure that end users do not have a free choice in the matter.

    With regard to those of you complaining about the Firefox fanboyism, may I remind you that the _only_ reason that Microsoft is even funding _any_ IE development at this point is because Firefox began to eat away at their market share? Yes, I’m biased, because I use several operating systems which had no usable browser for years on end. Someone stepped up to the plate and made me one, and it was the Mozilla folks. I meant to try IE on Solaris but Microsoft EOLed that instead of porting it to more OSes. For all Netscape’s faults, the one thing they did right was providing binary packages for a lot of architectures. I note that despite its closed source nature, all but the most rabid free software advocates ran it anyway, because it was available. Microsoft could have filled the gap but made the wrong gamble.

    > Those of us who actually develop for the web aren’t going to ever go back to IE after the burn we’ve got from it over the years, but we still need it to work properly so as not to deprive Fanboys like you of access to sites we develop.

    rubz: I agree and I’m in the same boat. I have users that like to learn more and more kludges to deal with broken caching behavior, broken HTTP status handling, broken CSS handling, etc rather than just switch to a modern browser. That’s their choice but it’s frustrating for me as a developer and service provider. So I’m glad that Microsoft is finally working to catch their browser up with the years of improvement that literally everyone else in the world has made. For the sake of justice, I hope that it’s "too little, too late" for them, but I really want to have lots of compliant browsers on the market, and it sounds like IE7 may actually approach compliance. At that point I won’t have any snarky remarks regarding people running IE, and won’t recommend against it, except of course for their own security.

    Finally, on the topic of security disclosures. Vigorous debate has always taken place as far as the proper methodology to use (just because commercial vendors prefer private disclosure first doesn’t make it the only valid option) but I agree that there has almost certainly been favoritism shown by the discoverers of exploits. BUT! Without going into political analogies that will doubtless draw us into another fruitless flamewar, one must wonder if Microsoft hasn’t done anything to provoke a lack of sympathy on their part, and sympathy toward Mozilla, Opera, KHTML, etc. People tend to root for the underdog…

    P.S. Sorry for the ugly quoting… I couldn’t tell if HTML such as BLOCKQUOTE is allowed and there’s no preview button. (I really can’t resist the snark now. Competing engines such as slashcode, scoop, fark, etc have provided "preview" functionality for years.)

  19. Anonymous says:

    Should not have read about this, now I have to fix my form validation code:)

  20. Maurits says:

    Hmmm… did zeeeh try hard enough to get his comment removed? 🙂

  21. Bruce Morgan [MSFT] says:

    Yes, we had a winner. He (or she) generically insulted the Firefox team (fine, lots of people generically insult the IE team too, and it wasn’t directed at an individual), he used a profane word or two common in PG-13 movies (fine, as long as there aren’t so many it’s just a garbage post), but he also used the "F-word" as the kids say, which is one of the words guaranteed to get your post deleted.

  22. Anonymous says:

    "Our investigation indicates that this issue will have limited impact"

    Why is it then that there are allegedly "numerous websites" that are installing software onto the user’s computer without consent? From this <a href="http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=364">Websense alert</a>:

    "Websense® Security Labs™ has started to detect numerous websites, which are actively exploiting this vulnerability to execute malicious code. Visiting one of the malicious websites with an unpatched version of Internet Explorer is enough to compromise the user’s workstation. The websites discovered so far are using the vulnerability to install potentially unwanted software without the end-user’s consent. In the example screenshots below, a fully-patched XP workstation visits a malicious website and is immediately infected. The user’s desktop background is replaced with a message warning of a spyware infection and a "spyware cleaning" application is launched. This application prompts the user to enter credit card information in order to remove the detected spyware."

    As for the Firefox vs. IE debate, this post isn’t the place to talk about web standards and UI features. However, I will say that the IE team (or whoever it is that makes the decisions) has really dropped the ball when it comes to security. It’s one thing to have a lot of security vulnerabilities come up over time, but the fact that so few are ever fixed is repulsive. According to data from Secunia, of the 42 IE security vulnerabilities that have been open at some point since Firefox’s 1.0 release, only 8 have been fully fixed. If Firefox never fixed a single vulnerability since its release, IE users would *still* be exposed to more vulnerabilities than Firefox right now. Meanwhile, Firefox (for Windows) only has 3 out of 23 vulnerabilities yet to completely fix. So as much as IE fanboys like to claim that IE’s vulnerability count is only so high because the browser is so popular, Firefox has still managed to fix more problems than IE. Now it sounds like they’re trying to downplay this obviously serious vulnerability and say they "may" fix it. What’s going on here?

  23. Anonymous says:

    I just received my December security updates. However, the XSS issue still isn’t fixed.

    There are numerous Web sites exploiting this vulnerabilty to infect user’s computers.

    Microsoft MUST offer cricital IE fixes sooner! I understand that building updates for many different IE versions takes its time. However, we all know that the vast majority of IE users have installed XP SP2. Why not offer a fix for this version first (sooner) to protect at least 50% of the installed base ASAP?

    Exploits are coming faster and faster, but Microsoft has not sped up its patch delivery process. This MUST change to prevent people from switching to Firefox!

    Role

  24. Anonymous says:

    No, it looks like the vulnerability (CVE-2005-1790) was fixed. http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx

  25. Anonymous says:

    I apologize to the IE team for my previous post because the December updates in fact include a fix for the XSS issues, and even some more.

    I used IE7 beta 1 to visit Microsoft Update. Thus, of course I wasn’t offered a fix for the issues. 🙂

    Again, a big thanks to the IE team for the fixes, and sorry for my rant

    (All I want is that people don’t have reasons to abandon IE and migrate to Firefox!)

    Role

  26. Maurits says:

    Role, why are you against people switching to Firefox? Personally, as a web developer I’d like browsers to be interchangeable.

    Hopefully, IE7 will be sufficiently different from IE6 to get people to migrate… and hopefully, IE7 will be sufficiently standards-compliant that I won’t care whether my visitors are using IE7 or Firefox…

  27. Anonymous says:

    Don’t know where to post this.. but could you PLEASE fix the problem where after downloading a huge file a little box pops up saying Copying TEMPFilename to realfilename with a Cancel button, right in your face and if you accidentally press space, you cancel! It just cost me 3 hours.

  28. Maurits says:

    @Annoyed:

    I could be wrong, but I think that even if you hit Cancel, the file remains in the temporary download directory. So you should be able to find it.

  29. Bruce Morgan [MSFT] says:

    Tim, sorry but I deleted your post because it had a direct link to an exploit page.

    The XSS vulnerability discussed in this post was not fixed by the December 2005 security updates for IE.

    The security update does include fixes for several other security issues including the one David Hammond pointed to earlier: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=364

  30. Anonymous says:

    Ah, I see, so this post is actually about this vulnerability: <http://secunia.com/advisories/17564/&gt; not this one: <http://secunia.com/advisories/15546/&gt;. That would explain why it was downplayed.

  31. Anonymous says:

    I understand, Bruce. Sorry for posting it, I’m glad you saw it, though.

    Is there any chance the XSS issue will be fixed out-of-cycle? (before 10th of January)?

  32. Weddings says:

    Just a quick paste of a comment on the Microsoft Security Response Center blog addressing the recent questions around the XSS issue we are investigating – We’ve received some questions regarding a reported cross-site scripting (XSS) issue affecting Interne