XSS Trends and Internet Explorer
As far back as 2005, cross-site scripting (XSS) was recognized as
the most commonly reported type of software vulnerability. A more recent
study by Veracode using data from the
Web Hacking Incident Database shows that XSS is the most prevalent vulnerability
in Web applications and the second most likely to be
leveraged in real-world attacks.
Chart courtesy of Veracode; used by permission
Data from the Microsoft
Security Response Center (MSRC) demonstrates the growth in reported XSS
vulnerabilities:
Growth in reported XSS vulnerabilities 2004 – 2012 (first half)
The chart above illustrates how we are seeing XSS actually start to crowd out other
types of reported vulnerabilities percentage-wise, year-over-year.
To help protect users, Internet Explorer pioneered the implementation of multiple
overlapping mitigations targeting XSS, including
httpOnly cookies,
security=restricted IFRAMES,
toStaticHTML(), and the
IE XSS Filter. IE10 introduces support for the new
HTML5 standard IFRAME Sandbox,
which allows developers of Web applications to more tightly control the behavior
of embedded content. We’re intent on continuing these investments, as real-world
data continues to show an uptick in the relative quantity of XSS vulnerabilities
in the wild.
To review the impact of the IE XSS Filter, we’ve done a deep analysis of all vulnerabilities
reported to MSRC in the first half of 2012. This analysis has shown that currently
the IE XSS Filter applies for 37% of all legitimate vulnerabilities
that are reported to the MSRC. (For some perspective, another highly reported vulnerability
class is memory safety, accounting for 24% of vulnerabilities within the
same data set.)
The IE XSS Filter is just one example of how our browser’s threat-mitigation strategy
doesn’t stop with memory safety mitigations like
ASLR and DEP/NX. As more customers and businesses leverage Web technologies,
mitigating XSS and other Web application vulnerabilities has become increasingly
important. We are happy to see the impact mitigations have made against the threat
of XSS, and are looking to continuously innovate in this space going forward.
—David Ross, Principal Security Software Engineer, Microsoft Security Response Center
Comments
Anonymous
September 10, 2012
Normally I wouldn't leave a comment like this, but.... Don't care about this post. I didn't even bother to read it (I normally enjoy reading your posts). Why? BECAUSE I'M STILL WAITING FOR IE10 FOR WINDOWS 7!Anonymous
September 10, 2012
I don't care if this comment hearts anyone here but are IE really a good thing. Even I tried Ie10 I still force to install chrome frame. I use many site on my daily rutine and they have different kind of trouble in Ie10. When I talk most of them they simply let me go for Firefox or chrome. so many time I see error like "unsupported browser". "our site is not worked in your browser". "you need to use google frame". I even not got any answer for this kind of issue.Anonymous
September 10, 2012
When to come to use IE10 by Windows 7? Please carry out early.Anonymous
September 10, 2012
"so many time I see error like "unsupported browser". "our site is not worked in your browser". "you need to use google frame"." Thats because whoever made those websites is either a horrible web designer or is purposefully making their site not work in IE. Its one thing to have problems getting your site to work in IE7, but theres no excuse for a site to be broken in IE9.Anonymous
September 10, 2012
yawn Sorry, this really is cool. But it is useless rather pointless since IE10 IS NOT AVAILABLE ON WINDOWS 7.Anonymous
September 10, 2012
The comment has been removedAnonymous
September 10, 2012
ie10 for windows7 to be released 24 September ?Anonymous
September 10, 2012
7 comments above, none related to the subject. Facepalm.Anonymous
September 10, 2012
Ahh, CommunityServer may've eaten my last comment after I took too long to write it. Short version: XSS filters can allow attackers to selectively edit individual script tags out of a target page, by making it appear that reflection XSS is happening when it's not. It's possible for that to be a security problem in itself, for instance if one script tag sanity-checks some parameters then a second script tag acts on them. What's Microsoft's thinking on this? One other browser seems to block all script on the target page if it suspects an attack, which seems like a good workaround to me. And: this filter has some compatibility impact, even if it's small. The post introducing the filter talks about compatibility a bit. For example, site where you upload webpage templates then immediately preview them might work in other browsers but fail under an XSS filter--I had that problem with another browser's filter. (That's how I disovered that that browser stops all script on the target page. :) ) Should browser makers standardize their rules?Anonymous
September 10, 2012
Well, guess it makes 8 including yours that wasn't related to the subject either. Seriously, what to comment on a subject like this? I mean, is there really no more important stuff the IE team can blog about? All the questions and topics people really do care about are reflected in the comments.Anonymous
September 10, 2012
Except these people are just being stupid and asking questions that were answered months ago. IE10 on Windows 7 will be out when its ready, which might be before the official release date but they might just decide to wait for the release date which is probably around when Windows 8 comes out.Anonymous
September 10, 2012
IE Team should delete or even don't approve in the first place off-topic messages. How can you tolerate all these trolls talking about a totally unrelated subject ("IE10 for Windows 7", for example)?Anonymous
September 10, 2012
[quote]so many time I see error like "unsupported browser". "our site is not worked in your browser". "you need to use google frame". [/quote] I never encountered that message. Give us a list of those many sites that do this ?!!!Anonymous
September 10, 2012
So when are we going to get a response from Microsoft? Zero feedback is not helping your image Microsoft - it shows you have no passion and no comitment to developers. Our concerns go unanswered and our distaste for Microsoft and Internet Explorer grows. Worst of all we've told you plenty of times for many years that the comment form is broken on the IE Blog. It's been confirmed by Microsoft employees and we've even provided you with the fix yet it has not been addressed. How else are we supposed to take this other than as a slap in the face?! MartinAnonymous
September 11, 2012
Need IE 10 on Windows 7Anonymous
September 11, 2012
Randall: If you'd like an XSS detection to prevent rendering of the page in its entirety, use the MODE=BLOCK attribute. I wrote about this here: blogs.msdn.com/.../controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspxAnonymous
September 11, 2012
Armend Mitrovica: "ie10 for windows7 to be released 24 September ?" Huh? Where you have got that date?Anonymous
September 11, 2012
@EricLaw Ridiculous, just ridiculous guys how you avoid to answer any questions on IE 10 for Win 7. Your post right now is another slap in the face! Instead of finally saying something about Win7 availability, you adressed the one single XSS comment. Why aren't you guys posting that IE 10 is coming for Win 7? Just a short little sentence: "Don't worry guys, IE 10 is coming for Windows 7!" ONE SENTENCE LIKE THIS and you would calm everyone down. It's maddening how stubborn Microsoft became since the reign of King Sinofsky the first, ruler of the Sinpire. Or is the reason for the all this silence that IE 10 won't be available for Windows 7 indeed?Anonymous
September 11, 2012
@ I don't care about IE10 - Then you're visiting out-of-date websites that doesn't know there is something as IE9-10, the webdeveloper of those sites is just a IE-hater or you seriously have to stop activating Compatiblity View.Anonymous
September 11, 2012
It is concerning to see XSS growing so exponentially. I should check to see what measures the mainstream web browsers and security software have to offer. Speaking of mainstream web browsers, it reminds that Internet Explorer was once such a browsers. Now, if one asks the question "Is Internet Explorer version X supported on my version oF Windows?" the answers is most likely "No!"Anonymous
September 11, 2012
I am having issues with checkbox not showing the checks, but show up fine with Firefox. I have made sure my system has all the Microsoft updates and have comparied all the add-ons with a co-worker that does not have this issues and diasbled any add-ons he did not have. Thanks for any helpAnonymous
September 11, 2012
Randall: In addition to EricLaw's blog, it's worth noting that in the scenario you describe the IE XSS Filter will disable both script tags. Try it!Anonymous
September 11, 2012
They shouldn't need to say anything because they already told us when it would be coming out months ago.Anonymous
September 11, 2012
"They shouldn't need to say anything because they already told us when it would be coming out months ago." Months? Almost a year ago was the last word on IE 10 for Win7! Since then there is nothing but ominous silence.Anonymous
September 11, 2012
Even a "We hear you... we'll have more to say about IE10 on Win7 soon!" would be better than this silence.Anonymous
September 11, 2012
We hear you. We'll have more to say about IE10 on Win7 soon.Anonymous
September 11, 2012
The comment has been removedAnonymous
September 11, 2012
The comment has been removedAnonymous
September 11, 2012
There are many problems in the Do Not Track function of IE10. The developer of Apache began to ignore this. Microsoft should cope with this problem immediately.
Apache Web software overrides IE10 do-not-track setting news.cnet.com/.../apache-web-software-overrides-ie10-do-not-track-setting
Anonymous
September 11, 2012
>2012 >Still waiting for non-existant IE10 for Win7 I SURE HOPE YOU GUYS DON'T DO THATAnonymous
September 12, 2012
@ Win8 or the highway You mis the comment of IEBlog?Anonymous
September 12, 2012
The comment has been removedAnonymous
September 12, 2012
@EricLaw, dross: Thanks for the replies, and cool to know the second script tag is blocked as well.Anonymous
September 12, 2012
For all who are waiting for Windows 7 support, Read my email to IE team below: <email> Subject: Internet explorer 10 for Windows 7? Sent: Wednesday, August 22, 2012 4:38 PM According to this KB article: support.microsoft.com/.../2718695, Internet Explorer 10 is not yet supported on Windows 7. But this article technet.microsoft.com/.../hh846773.aspx suggests that its only supported on Windows 8 and Server 2012. Does it mean that its scheduled for Windows 7 in future? </email> <email-REPLY> Subject: RE: Internet explorer 10 for Windows 7? Sent: Thursday, August 23, 2012 3:19 AM IE 10 is planned for Windows 7. It’s being worked on. We just don’t have a release date to announce yet. The documentation is written for today. Today, IE10 is only available on Windows 8 and Windows Server 2012. --Ted Johnson for IEBlog </email-REPLY>Anonymous
September 12, 2012
Please support IE10 on Windows 2000, XP and Vista.. make a standalone/portable version for these OSes (let the IE8/7 keep the deep integration at OS level). Please consider this request. Among mainstream browsers, IE is already the only browser supporting just Windows (officially).Anonymous
September 12, 2012
The comment has been removedAnonymous
September 12, 2012
i reckon IE10 will be released on oct 26th the same day as win8 goes on sale to the general public. I still can't believe they didn't give us a new version before RTM, i'm expecting it to be rather buggy.Anonymous
September 12, 2012
I am sorry for the comment which is not related to a report. Windows 8 should return a start button immediately. It is hard to use too much. Since it became behind to a slight degree, it is made to have liked you to abolish. Would you report to OS team?Anonymous
September 12, 2012
The comment has been removedAnonymous
September 12, 2012
Start button was an old age.. welcome to new age.. and try to adjust yourself its extremely easy!!!Anonymous
September 12, 2012
I was wondering, can anyone please confirm if IE10 still reverts to quirks mode if there's a comment before the DOCTYPE? Earlier alphas of IE10 did, but I believe Microsoft were working on a fix. It's discussed by user sahack1 here: msdn.microsoft.com/.../cc288325.aspxAnonymous
September 12, 2012
As of IE10 RP this issue is resolved. Public test case: newilk.com/.../comment-before-doctype IE9 renders in Quirk Mode IE10 RP renders in Standard Mode IE9 treats Doctype as comment if there is a comment before doctype. IE10 respects the comments before doctype and treat doctype separately. This behavior can also be observed via F12 developer tools.Anonymous
September 12, 2012
Well that is marvelous news. Thanx for confirming.Anonymous
September 12, 2012
wheel invention was some thousand ago , but now we use it. Start menu can be inside Windows . i can see and use one icon in 48*48 . but in large tiles or icons user eyes become dizzy ( in Desktop )Anonymous
September 13, 2012
can someone explain to me how ie9 scored soooo low on toms hardware tests? I am no MS basher and love IE9 but the score was 1/3rd of chrome and firefox?Anonymous
September 13, 2012
The comment has been removedAnonymous
September 13, 2012
@Trooper - Exactly! Neutral tests have shown that IE10 is slightly ahead! I've caught myself writing too much "-webkit-" these days, man!Anonymous
September 14, 2012
The comment has been removedAnonymous
September 14, 2012
The comment has been removedAnonymous
September 14, 2012
can someone confirm that ie10 for windows7 will be released the 26-September or 2-October ?Anonymous
September 14, 2012
@Armend Mitrovica - either tell us your source or stop spamming.Anonymous
September 14, 2012
The comment has been removedAnonymous
September 15, 2012
The comment has been removedAnonymous
September 15, 2012
It is said that it was pronounced that Google cut support of Internet Explorer 8. Take out Internet Explorer 10 turned Windows 7 early and let me restore with Windows 8. If the back can do, I will want Internet Explorer 10 for Internet Explorer 9 to correspond to Windows XP and to correspond to Windows Vista. Otherwise, it falls to a share breath of Internet Explorer. Microsoft and idea repair! (Also whether it says and that which the way where Internet Explorer 6 and Internet Explorer 7 also closed own support quickly except the company says.)Anonymous
September 15, 2012
IE10 turned Windows 7 should realize speed and lightness equivalent to Chrome. If memory usage also becomes a prevention eye to a slight degree, I will think that it is still better. Would you also take the point into consideration, when announcing?Anonymous
September 15, 2012
Harry! It is the formal version release on October 26!!Anonymous
September 15, 2012
The official release date of IE10 for Windows 7 is February 29, 2013.Anonymous
September 15, 2012
IE10 release date - Don't say stupid things. If we reach that date, we are already using an IE11 Platform Preview... At least, I hope so.Anonymous
September 16, 2012
@Yannick: If we go by how things are currently handled, that platform preview would be Windows 9 exclusive.Anonymous
September 16, 2012
The comment has been removedAnonymous
September 16, 2012
The comment has been removedAnonymous
September 17, 2012
@IE10 for Win 7 and @IE10 release date: I don't know where you're getting your information but I do know that both of you are wrong. We have not yet announced a release date for IE10 on Windows 7.Anonymous
September 17, 2012
@ieblog but ie10 will not be released in December 2012 right ? it must be released earlier then Novemember 2012 or else people will chose firefox15- 16, or opera, or google chrome, then they don't want ie10.Anonymous
September 17, 2012
The comment has been removedAnonymous
September 17, 2012
The comment has been removedAnonymous
September 17, 2012
Please release IE10 turned Windows 7 early! (beta version or formal version)Anonymous
September 17, 2012
IE9 vulnerability is released yet their is no IE10 to upgrade to, to escape this vulnerability. I expect quite a few people to switch to chrome as a result of this vulnerability. Would be better for MS if they released IE10 and told people to upgrade to that.Anonymous
September 17, 2012
The publishes IE zero day exploit is not working when DEP is enabled. It only works on Windows XP with the current exploit. IE8 and IE9 on Windows 7 might be vunerable but not to the current exploit alone.Anonymous
September 18, 2012
You do realize that microsoft regularly releases security updates for IE9, right?Anonymous
September 18, 2012
The comment has been removedAnonymous
September 18, 2012
Fix for zero day coming: blogs.technet.com/.../additional-information-about-internet-explorer-and-security-advisory-2757760.aspxAnonymous
September 18, 2012
The comment has been removedAnonymous
September 18, 2012
The comment has been removedAnonymous
September 18, 2012
@palmer Zerodays are common place not only in IE but in other software as well. Since today, the Webkit browser of the iPhone 4S, iPad and iPhone 5 also contain a zero day vunerability. www.goodgearguide.com.au/.../iphone_4s_exploited_mobile_pwn2own_hacking_contest_amsterdam and solving a vunerability in a mobile device in general takes much longer.Anonymous
September 19, 2012
The comment has been removedAnonymous
September 19, 2012
I think that IE10 probably has the same brittleness. Because a base will be a product suitable for IE9 or it. Should not Microsoft back out from development of a browser soon? However, please carry out support of the version released until now. While IE10 turned Win 7 is early, I want you to release.Anonymous
September 19, 2012
The comment has been removedAnonymous
September 19, 2012
The comment has been removedAnonymous
September 19, 2012
The comment has been removedAnonymous
September 20, 2012
The comment has been removedAnonymous
September 20, 2012
@jake Control Panel => Programs => Default Programs =>Set associationsAnonymous
September 20, 2012
@Steve - Well, I have the RTM version of Windows 8 and guess what? sphotos-h.ak.fbcdn.net/.../303848_496464200363848_322531970_n.jpg Please elaborate. :)Anonymous
September 21, 2012
How do you get the favorited they don't appear for me!Anonymous
September 21, 2012
@Larry - Either:
- You must have at least one favorite site (you can add one).
- You might have to scroll to the right if you have lots of Frequent sites or a small screen.
Anonymous
September 21, 2012
The comment has been removedAnonymous
September 21, 2012
@Epic Fail: If you don't see Favorites, I'm guessing you don't have the RTM build of Windows8. You are probably using an older build.Anonymous
September 21, 2012
The comment has been removedAnonymous
September 21, 2012
The comment has been removed