A bug in Microsoft’s Internet Explorer has left users of the popular browser vulnerable to cross-site scripting attacks, according to researchers at the security firm Imperva Data Security.
The flaw in IE gets a little techie but it is essentially this: the way double quotes are encoded by IE isn't properly done. This oversight has a significant downstream effect for websites supporting IE (and there's a lot). Since website developers assume requests from IE are properly done, hackers can sneak XSS attacks into websites.
According to the IETF RFC 3986, which spells out proper URI syntax. According to that document, double quote characters ("") should be rendered as %22 when they appear in URIs. While IE does this for some parts of a URI, double quotes that appear in the query component of a URI are not translated - a lapse that could cause IE browsers to splice a malicious link or other attack code into a URI.
The syntax of the query part of the URI is as follows:
pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
query = *( pchar / "/" / "?" )
pct-encoded = "%" HEXDIG HEXDIG
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
reserved = gen-delims / sub-delims
gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
/ "*" / "+" / "," / ";" / "="
It's easy to verify that double quote should be "pct-encoded" and therefore represented as %22.
The problem with double quotes characters is not present in competing browsers such as Firefox and Google Chrome, there are sites listed that are currently experiencing XSS attacks stemming from the coding error in question and affecting only IE users.
Website developers operate under the assumption that requests coming from IE are properly encoded by the browser.
Imperva reached out to Microsoft about the bug. In their response, Microsoft downplayed the vulnerability, saying “[this flaw is] not something that we consider to be a security vulnerability that will be addressed in a security update.”