As you probably know, the details about the paradoxical behavior of the Internet Explorer XSS Filter, introducing XSS vulnerabilities of its own on otherwise immune web sites, which we hinted at some months ago, have been revealed by Edoardo "Sirdarckcat" Vela and David "thornmaker" Lindsay recently at the Black Hat Europe conference, in Barcelona (on a side note, looks like Sirdarckcat enjoyed his stay there so much that he decided to remotely hack a certain volcano...)

I've been quite disappointed by the preamble of their paper, which calls IE8's XSS filter a new type of defense and a somewhat novel approach (before bashing it), when we all know that NoScript came first. Sirdarckcat personally apologized, blaming Lindsay for this and other "pro-big-players" bias, such as the decision of omitting, from the comparative table in their slides, Sirdarckcat's opinion about NoScript's being the safest among the in-browser filters and the hardest to bypass.

Notwithstanding, the technical core of this research is very worth reading, if you're interested in XSS attack and defense techniques.

After the Black Hat debacle got echoes in the press, David Ross, the main XSS Filter engineer at Microsoft, published a Guidance on Internet Explorer XSS Filter document on the Microsoft Security Response Center website, announcing a not better specified "patch" coming in June (mmm, two whole months? need some help?) and making two interesting statements:

In the case of the Internet Explorer XSS Filter, researchers found scenarios that are generally applicable across XSS filtering technologies in all currently shipping browsers with this technology built-in.

This essentially means just two, IE8 and Chrome... but wait, Chrome doesn't ship with its XSS Auditor enabled anymore because it was dog slow!
Hence the final recommendation by Ross...

Overall we maintain that it’s important to use a browser with an XSS Filter

... can really mean one thing only: Microsoft maintains that it's important to use Firefox with NoScript :)

8 Responses to “Microsoft Recommends NoScript”

  1. #1 uberVU - social comments says:

    Social comments and analytics for this post

    This post was mentioned on Twitter by ma1: Microsoft endorses Firefox+NoScript :)

  2. #2 Morgan Storey says:

    A bit of spurious reasoning, not that I don't use noscript. I think they were trying to spruik IE8 still. But maybe you could help them along and port noscript to IE, and then they would at least have something to crow about, once they offer you an obscene amount of money and put it into the code natively.
    I am surprised you didn't mention the recent network solutions attack and its injection of malicious javascript, if something like noscript was globally used this breach may have been found sooner with less collateral damage, if I saw javascript on my page I would know as there is very little and it isn't whitelisted.

  3. #3 David Lindsay says:

    The wording in the whitepaper preamble was completely mine, so yes, you can blame me. When I said IE8's filters were "somewhat novel", I was referring to to the fact that they were not the first to develop thorough client-side XSS filters, clearly NoScript had been doing this for quite some time, however they were the first *browser* to have such filters built in by default.

    It was not my intent to slight NoScript in any way. In hindsight, I can clearly see your point of view and I apologize for not properly acknowledging NoScript's pioneering role in terms of client-side filters.

    That being said, I make no apologies for the content of the comparison slide in our presentation. Although Eduardo and I had a lot of back-and-forth discussion regarding how to compare things on that slide, the final contents accurately reflect the average of our opinions (which were never that far apart to begin with). And I take offense to any accusations of bias towards "big players"; if anything, the opposite is true.

  4. #4 Giorgio says:

    @David Lindsay:
    OK, apologizes accepted. Please accept mine regarding the "big players bias" allegation, I just had that feeling looking at the table and combining that with the preamble.

    Like you said, no hard feelings.

  5. #5 sirdarckcat says:


    So, yeah.. NoScript is safer, because it stops requests from happening in the first place, however that makes it have a bigger false positive ratio.

    In terms of which one is harder to bypass, the winner is IE8, followed by NoScript, followed by Chrome.. considering that it takes days to bypass IE8, as opposed to chrome/noscript.


  6. #6 Dauns Wurst says:

    So according to this chart NoScripts XSS is bypassable, but in what sense? Generally or just in special cases, because latter was and probably always will be the case.

  7. #7 Dauns Wurst says:

    Forgot what I wrote, I was in a hurry.

  8. #8 Dauns Wurst says:

    Forget what I wrote, I was in a hurry.

Bad Behavior has blocked 729 access attempts in the last 7 days.