An information disclosure threat in Microsoft's Internet Explorer affects all supported versions of the browser and, among other things, makes it trivial for attackers to force victims to post attacker-dictated messages on Twitter, a security researcher said this week. The “Twitter-rolling” attack, which was first described …
"it seems easier to make a single change in the IE code base than to expect an untold number of webmasters to revise their sites"
Fixing the sites will only work for the ones who expose the "feature" in error. It's not going to help with sites (or hacked sites) that do it deliberately. The only answer is to fix IE.
Nein, nein, nein
If IE Nein doesn't suffer from this vuln, then at least they've finally written some new code.
I expect it's related to the scripting built into CSS that's proprietary to IE. If it's quirks mode then IE Nein will also suffer as it ships with no fewer than four parsing engines for backwards incompatibility with their browsers formerly known as "great" or "best ever", but now on the scrap-heap.
This can be blamed on Ballmer too
[There are some problems with your post]
“The primary responsibility has got to fall on the developer who is taking untrusted data and putting it is a CSS context within an HTML page,” he told The Reg. “If you don't escape properly, you're going to have XSS every time. Until developers get that through their head, we're going to have to live with lots of XSS holes.”
Here, here that man!
In this instance I see no reason why IE should not be 'fixed'. However, if it's XXS, then the so-called developers should learn to code responsibly. If any developer blindly allows attackers to inject code - either through lazyness or ineptitude - they deserve what they get... Hopefully a job collecting and emptying wheelie bins.
All the same, it won't hurt Microsoft to issue an update to resolve their end. (At least then 'developers' delivering unfit code may start to assume responsibility for their mistakes. Then again, probably not).
this is still XSS. Don't blame the browser
No offence but this is still a XSS vulnerability. Learn to validate inputs guys! Just because it's supposed to be CSS doesn't mean you should validate it!!!
Jeff Williams wrong?
Perhaps Mr. Williams should have examined the sample exploit more carefully before commenting?
"Until developers get that through their head, we're going to have to live with lots of XSS holes."
This shall be saved for ..err ... posterity.
There are more flaws like this, and they all boil down to IE not following standards where other browsers do...
For instance, if the server returns a content type of text/plain but the text contains HTML tags, most browsers will display it as plain text.. IE will ignore the content-type and try to render the HTML.
For any other browser, setting the content-type to text/plain is enough to eliminate any XSS vulnerabilities since the browser will make no effort to parse anything.
IE doesn't enforce content-type shocker
This is news?
I thought it was common knowledge to everyone since ever.
Relying on http headers for your security!!! Yeah - that's a good idea.