Exploiting IE8 UTF-7 XSS Vulnerability Using Local Redirection

As our other posts have shown, keeping your software up-to-date is vital, especially with respect to security.  Software updates often have some type of security component to patch a known vulnerability.  By way of example, consider cross-site scripting (XSS) vulnerability from previous versions of several popular web browsers.

This XSS vulnerability allowed attackers to hijack web browsing sessions within Internet Explorer, Firefox, and Opera.

The exploit was possible if a user did not specific a character set, or charset, within the user’s application page.  By not specifying which charsets to allow, an attacker could use XSS to execute malicious code through the user’s webpage, thus gaining access to the system and network.

Rest assured though, this vulnerability was corrected by all three web browsers.  Firefox, Opera 9.20, and Internet Explore 8 all provided patches to eliminate this potential exploit as part of their upgrade.

Although each of those web browsers have had several updates since this vulnerability was discovered – Internet Explorer is now up to version 11 – it is still worth highlighting and discussing

Using XSS to execute malicious code and gain access to a user’s system is a crafty hack, and one each of us must be aware of.  Take this example to remind your colleagues, and even your supervisors, of the importance of keeping software up-to-date and patched.

Check back regularly with SecureThoughts to ensure you are aware of the latest vulnerabilities and best security practices.  It is up to us to ensure our users’ data, and our own data is protected and secure.

Leave a Comment