Microsoft, Hacker Attack XSS

5:30 PM -- It's an unlikely alliance, for sure. But a Microsoft engineer and RSnake, the founder of ha.ckers.org d sla.ckers.org -- which have brought attention to the epidemic of cross-site scripting (XSS) vulnerabilities in major Websites -- have begun informally swapping research and ideas on stemming XSS attacks. (See Hackers Reveal Vulnerable Websites.)

RSnake says David Ross, a Microsoft engineer specializing in browser and Web application security, pinged him after reading RSnake's recent blogs on the XSS flaw in Adobe Acrobat Reader and XSS worm research. He's sharing with RSnake some anti-XSS and browser-based exploit research of his own.

Addressing XSS (even at the R&D level) is a big step for Microsoft, which like other browser vendors is now feeling the pressure to come up with anti-XSS measures. "Primarily, they know they have a problem, they know it's a big deal, and they know they need to put more thought into fixing it, even if it's only into the R&D aspect of it," RSnake says. (RSnake is also Dark Reading's Snake Bytes blogger.)

Ross is building some code samples, which ha.ckers will "try to refine/break purely on an R&D basis," RSnake says. "Hopefully from that we can come up with something that could eventually be put into the [IE] browser, but that's pie-in-the-sky thinking. There's a lot of work to be done before anything like that could be considered, including the negatives to the consumer experience by breaking any desired functionality."

The dirty little secret to eliminating big XSS flaws in browsers is that users have to sacrifice functionality, which is one of the reasons most browser vendors haven't wanted to touch XSS flaws with a ten-foot pole. But it's become painfully obvious that they can no longer hide the gaping holes.

This wasn't RSnake's first interaction with Microsoft. A year and a half ago, while playing around with Internet Explorer 7.0's alpha version, he found the new version did not come with a previous IE function that could be used for XSS. So he contacted Microsoft developers to see if this was intentional. They said it was not and they had instead shut it off so other browser exploits wouldn't work. "They had no idea it would affect XSS," he says, and there are only a few instances where an XSS exploit can take advantage of that flaw in IE7. "What started as a bug ended up being a huge benefit to XSS prevention."

Ross says in a research paper he sent to RSnake that this "attack surface-reduction measure" ended up being an effective anti-XSS measure -- "albeit inadvertently."

So the big question is whether any fruits from Ross and RSnake's collaboration (however informal) will somehow eventually make its way into future versions of IE7. We're already anxiously waiting the other shoe to drop with a major XSS attack, so the sooner, the better, guys. (See Five Unsolved Mysteries of Security.)

— Kelly Jackson Higgins, Senior Editor, Dark Reading