A cross-site scripting filter which is shipped with Internet Explorer 8 browser is being used by attackers to launch cross-site scripting attacks on websites and web pages. Sites that would be otherwise be invulnerable to threats are suddenly exposed to this new threat.

The flaw was shown off at a recent Black Hat Europe conference and will cause some security headaches for the likes of Bing.com, Google.com, Wikipedia.org, and Twitter.com. The flaw is caused by the fact that such sites let IE 8 users create profiles. Microsoft thought it was being jolly clever when it added the anti-XSS feature in IE 8 last August to detect reflection attacks that can lead to cookie theft, keystroke logging, and Web site defacement.

However it turns out that Redmond's filters have a problem because they scan outbound requests for strings that may be malicious. When a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern from the server. If a match is made anywhere in the server’s response then the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful. But if the attack is not properly stopped then a malicious script may still execute.

Researchers figured out a way to use the IE 8’s altered response to conduct attacks. Microsoft said that the problems have since been fixed with the MS10-002 security patch, which was released for IE users earlier this year. However, not all of the issues have been fixed and the browser’s XSS filter is still introducing security risks on certain web sites.