Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Internet Explorer

IE8's XSS Filter Exposes Sites To XSS Attacks 84

Blue Taxes writes "The cross-site scripting filter that ships with Microsoft's Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat. The IE8 filter works by scanning outbound requests for strings that may be malicious. When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server's response, the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack cannot succeed. The researchers figured out a way to use IE8's altered response to conduct simple abuses and universal cross-site scripting attacks, which worked against sites that would not otherwise have been vulnerable to XSS." Here is the researchers' backgrounder (PDF) on the attack. Microsoft says that they have issued two patches that address the issue, but the researchers insist that holes remain.
Update: 04/20 14:06 GMT by KD : Microsoft's Security Response Center has issued a statement on the vulnerability.
Microsoft

Chinese Court Rules Microsoft Violated IP Rights 237

angry tapir writes "A Beijing court has ruled that Microsoft violated a Chinese company's intellectual property rights in a case over fonts used in past Windows operating systems. The Beijing Number One Intermediate People's Court ordered Microsoft to stop selling versions of Windows that use the Chinese fonts, including Windows XP. Microsoft plans to appeal the case. Microsoft originally licensed Zhongyi's intellectual property more than a decade ago for use in the Chinese version of Windows 95, according to Zhongyi. Zhongyi argues that agreement applied only to Windows 95, but that Microsoft continued to use the intellectual property in eight versions of Windows from Windows 98 to Windows XP. Vista and Windows 7 are not involved."

Slashdot Top Deals

"The lesser of two evils -- is evil." -- Seymour (Sy) Leon

Working...