Engineers in Microsoft's Internet Explorer group continue to refine a new security feature designed to block malicious scripts that can be injected into trusted websites to steal email and account credentials. Judging from the magnitude of the problem, their task may never be completed. Among the multitude of revisions …
Oh God yet more patches for IE
There is only one way to stop these bugs getting in disable IE in set program access and defaults and use FireFox or similar with No script and other addons
it'd be nice if...
IE just blocked all xss. noscript does it for me now, but there are a few things which absolutely insist on me violating all security principles and allowing it. firefox and noscript just don't have the market penetration to force people to change!
I agree, its the only way. XSS is the vulnerability. Close it now.
XSS isn't a trivial issue
Unfortunately blocking XSS is far from trivial (take a look at the ha.ckers.org link in the story). If a site includes html content from an untrusted source (obvious example being webmail) and runs Javascipt then given enough time to piece together the workings of the site malicious content can be created sometimes with no obvious marker as XSS (trivial example being the inclusion of images called from a malicious webhost with the document.cookie etc which can be read from the attackers httpd logs and an automated session capture implemented).
"...its design is likely to remain an iterative, ongoing process with plenty of additional tweaks to come."
Where have we heard that before? Not from MS, surely?
How long until SP1 is released?
How long until SP2?
How long until anyone with half a brain just gives up and uses FireFox instead?
Too much headache for average users
I use NoScript, but I would never dare install on "average users" PC's because I know I will only get more phone calls and I can't be bothered to explain what to do. You might think it would be good in an office, where you can do group 5 minute lessons to people for the sake of that bit of extra security, but I just about manage to install Anti-Virus, Anti-Spyware and FireWalls's on peoples PC's and even then I get them asking questions so NoScript...no thanks
XSS should be on a "need to use" basis
"The ability of one site to link to code hosted on another site is a key architectural design at the heart of today's website"
It's an ability that is far overused, much like using flash when html + css would have done just as well. It is rarely the consumer who's needs are addressed by these trends in web design: rather, it's what is easiest to code or looks 'coolest' to the marketing monkeys.