Hacker Confronts Microsoft on Lack of XSS Filters in MSN Explorer

Gambit, the hacker that recently identified some serious XSS vulnerabilities in sites such as Edmodo and HP, confronted Microsoft regarding the lack of cross-site scripting (XSS) filters in the MSN Explorer browser.

MSN Explorer is a browser, similar to Internet Explorer, which integrates some features like Windows Live Hotmail and Windows Live Messenger, the latest variant being released in August 2011.

The hacker contacted Microsoft representatives to reveal his concerns regarding the lack of XSS filters, a fact that he considers to be a security hole.

“I saw the MSN browser icon the other day and decided to see if it was like IE, if it had an XSS filter. With a quick check I found it to be vulnerable to XSS. I contacted Microsoft about it,” Gambit explained.

“They had me update my IE to 8 and when I asked why, I was met with the response of 'MSN explorer is essentially a branded version of IE and so it’s likely that if MSHTML is updated to the IE8 version, which is the first version that incorporated the XSS filter, that the MSN explorer may also then have the XSS filter.'”

Much to the security expert’s surprise, the XSS filter was missing.

“It had no XSS filter and when I informed them of this, they told me, 'The lack of an XSS filter is not considered a security vulnerability in the browser.'”

But Microsoft’s response didn’t satisfy the hacker, mainly because he’s highly aware of the numerous threats posed by the presence of XSS flaws.

“Now tell me... If the lack of a XSS filter IS NOT a security vulnerability, why was it so important to have one in the IE browser, why does Google pay people for finding a hole in their XSS filter in Chrome?” he concluded.

It may be true that the lack of XSS filters is not what can be called a vulnerability in the true sense, but it certainly offers cybercrooks a lot of opportunities. This is why we have asked Microsoft representatives to state their opinion regarding the issue and we’ll update the post as soon as we hear from them.


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.