A new flaw in IE 8 can be exploited to introduce XSS , or cross site scripting errors on webpages that are otherwise safe, according to twoRegister sources, who discussed the bug on the condition they not be identified. Microsoft was notified of the vulnerability a few months ago
ronically, the flaw resides in a protection added by Microsoft developers to IE 8 that’s designed toprevent XSS attacks against sites. The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones. A Google spokesman confirmed there is a “significant flaw” in the IE 8 feature but declined to provide specifics.
It’s not clear how the protections can cause XSS vulnerabilities in websites that are otherwise safe. Michael Coates – a senior application security engineer at Aspect Security who has closely studied the feature but was unaware of the vulnerability – speculates it may be possible to cause IE 8 to rewrite pages in such a way that the new values trigger an attack on a clean site.