Microsoft will plug a hole in a built-in filter in Internet Explorer 8 that can be used to launch the very types of attacks on Web sites it was designed to help prevent, the company said on Tuesday.
The company will update the IE cross-site scripting (XSS) filter in June to fix a hole that researchers warned about at the Black Hat Europe conference in Barcelona last week. The researchers showed how problems with the filter could be used to inject malicious code onto sites including Google, Microsoft's Bing search site, and Twitter.
"A June release is what's usual for the testing involved for updates," a Microsoft spokesperson said.
This will be Microsoft's third attempt to fix security issues with the XSS Filter in IE8.
"The XSS Filter related Blackhat EU presentation discussed a vulnerability that was previously disclosed and addressed in the January security update to Internet Explorer (MS10-002)," David Ross wrote on the Microsoft Security Response Center blog.
That was followed by a critical update in March. (MS10-018)
The update scheduled for June "will address a SCRIPT tag attack scenario described in the Blackhat EU presentation," Ross wrote. "In the case of the Internet Explorer XSS Filter, researchers found scenarios that are generally applicable across XSS filtering technologies in all currently shipping browsers with this technology built-in."
Update 3:50 p.m. PDT: Added comment from Microsoft spokesperson.