Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Internet Explorer

IE8's XSS Filter Exposes Sites To XSS Attacks 84

Blue Taxes writes "The cross-site scripting filter that ships with Microsoft's Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites and web pages that would otherwise be immune to this threat. The IE8 filter works by scanning outbound requests for strings that may be malicious. When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server's response, the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack cannot succeed. The researchers figured out a way to use IE8's altered response to conduct simple abuses and universal cross-site scripting attacks, which worked against sites that would not otherwise have been vulnerable to XSS." Here is the researchers' backgrounder (PDF) on the attack. Microsoft says that they have issued two patches that address the issue, but the researchers insist that holes remain.
Update: 04/20 14:06 GMT by KD : Microsoft's Security Response Center has issued a statement on the vulnerability.
Government

$18M Contract For Transparency Website Released — But Blacked Out 384

zokuga writes "The US government recently approved an $18 million contract for Smartronix to build a website where taxpayers could easily track billions in federal stimulus money, as part of President Obama's promise to make government more transparent through the Internet. However, the contract, which was released only through repeated Freedom of Information Act requests, is itself heavily blacked out. ProPublica reports: 'After weeks of prodding by ProPublica and other organizations, the Government Services Agency released copies of the contract and related documents that are so heavily blacked out they are virtually worthless. In all, 25 pages of a 59-page technical proposal — the main document in the package — were redacted completely. Of the remaining pages, 14 had half or more of their content blacked out.' Sections that were heavily or entirely redacted dealt with subjects such as site navigation, user experience, and everything in the pricing table. The entire contract, in all its blacked-out glory, is here."

Slashdot Top Deals

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...