back to article Microsoft preps fix for IE 8 flaw that makes safe sites unsafe

Microsoft will release an update intended to rid Internet Explorer 8 of a vulnerability that can enable serious security attacks against websites that are otherwise safe. The change, which will be introduced in June, will be the third time in six months that Microsoft has tweaked a feature used to filter out XSS, or cross-site …

COMMENTS

This topic is closed for new posts.
Silver badge
WTF?

Curious

Microsoft manages 3 patches in 6 months and still can't seem to get it right. NoScript ticks along with regular updates, and if there are any exploits against it I've yet to hear of them.

5
4
Gates Horns

In other news...

"the third time in six months that Microsoft has tweaked a feature used to filter out XSS, or cross-site scripting filter, attacks against websites."

Oh noes! This is their third attempt - have they got it right this time?

Is there *any* MS software that doesn't have a security risk? What about "calculator" and "solitaire"?

3
0

@Will Godfrey

I believe that there is some confusion that you are continuing to promote. Tell me if I'm wrong, my asumption is that the xss filter in IE8 assumes web sites to be whitelisted but filters the script, NoScript on the other hand assumes all sites to be blacklisted,blocking all scripts and basically leaving just HTML, and that you must manually set NoScript to whitelist the site before any scripts work. Now, I assume you have either the time to manually examine all the script on a website before you manually turn NoScript on to whitelist the site, or you just don't or can't be bothered to manually do either or both.

Whatever, NoScript is not invincible, and there are and will be again cases of NoScript being exploited, as it has been in the past. If you really require that your machine remain uninfected to the extent that browsing becomes a chore, the safest option of all is, not to browse.

3
2
Anonymous Coward

@ Neal 5

Have a look at this > http://noscript.net/features#xss

4
1
Headmaster

@Neal 5

Or just use Opera and have the choice of whitelisting OR blacklisting scripting.

You can disable scriping across the board, and turn it on for individual sites

OR you can allow scripting across the board, and disable it for individual sites.

(F12 opens site preferences, Shift F12 opens global preferences)

Can can of course apply the same logic to Plugins, Animated Images, sounds, Flash, Content Blocking and Cookie Handling to create the perfect setup and balance of functionality/security/privacy. You can of course just use a Private Tab too. (in 10.5x click on the New Tab button and select New Private Tab, all browsing in this tab is private)

0
0

Am I Missing Something?

The article implies that IE8 will attack the site, not the user. If so, why is this IE's problem? The sites will still be vulnerable to black-hatters, who can use whatever tool they want.

I may well have got the wrong end of the stick - cross-site scripting attacks make my head hurt...

0
0

Grinds my gears

What gets me at the moment, is if a site has a valid certificate but displays non secure content, the padlock is removed on standard SSL sites. If you happen to have one of the stupidly expensive SSL certs that turn the bar green, display in secure content still displays the padlock.

MS in bed with verisign to force people to pay for the overpriced SSL certs?

1
0
Alert

Why?

The real reason for this and similar foul-ups from all vendors is the appallingly low level of expertise among developers/programmers. Sure they can _code_ but they clearly can't see the functional implications of the code they create.

Until software development becomes a genuine engineering discipline performed according to sound core principles by attentive, thoughtful and competent people, things will never change for the better, and we'll go on having to apply streams of patches. Would you fly in a plane that required "patching" every few days? Not bloody likely! So why do we tolerate it in software? Probably only because the vendors already have us by the balls, so we hand them our hearts and minds.

1
0
Silver badge

@Neal 5

You might like to take a look at the NoScript website. It does rather more than you seem to think.

Also, I find a general 'block' policy far more useful that a general 'allow' policy. Apart from anything else my browser runs faster and cleaner without the dozen or so third party scripts that seem to come with most websites these days (and are of no benefit at all to me).

As for your last comment... bit silly really.

1
0

Why do otherwise competent computer users

persist in using Internet Explorer to browse the web ? I merely ask....

Henri

0
0
Anonymous Coward

My employer makes me

At work, I'm denied from using anything other than IE. Almost never worked anywhere that did allow any other browsers.

At home I use Chrome.

0
0
This topic is closed for new posts.

Forums