Security Research & Defense
Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance
Postings are provided "AS IS" with no warranties, and confers no rights.
Get alerts when we update our blog!
Attack Surface Reduction
Enhanced Mitigation Experience Toolkit
Internet Explorer (IE)
safe for initialization
safe for scripting
Windows Media components
Browse by Tags
Security Research & Defense
MS08-039: Which users are vulnerable to the OWA XSS vulnerability?
Today we released MS08-039 which addressed several XSS vulnerabilities in Microsoft Exchange’s Outlook Web Access component. While this is an update to be applied to the Exchange server, the clients who use OWA are the computers potentially at risk. We’d like to explain a little more about the vulnerability...
8 Jul 2008
IE 8 XSS Filter Architecture / Implementation
Recently we announced the Internet Explorer 8 XSS Filter and talked a bit about its design philosophy . This post will describe the filter’s architecture and implementation in more detail. Design Goals The Internet Explorer 8 XSS Filter is intended to mitigate reflected / “Type-1” XSS vulnerabilities...
20 Aug 2008
XSS Filter Improvements in IE8 RC1
On Monday IE8 RC1 was released . Here are some of the most interesting improvements and bug fixes to the XSS Filter feature: Some byte sequences enabled the filter to be bypassed, depending on system locale URLs containing certain byte sequences bypassed the Beta 2 filter implementation in some...
30 Jan 2009
Sharepoint XSS issue
Today we released Security Advisory 983438 informing customers of a cross-site scripting (XSS) vulnerability in SharePoint Server 2007 and SharePoint Services 3.0. Here we would like to give further technical information about this vulnerability. What is the attack vector? The advisory states...
30 Apr 2010
More information about the MHTML Script Injection vulnerability
Today we released Security Advisory 2501696 to alert customers to a publicly disclosed vulnerability in the MHTML protocol handler. This vulnerability could allow attackers to construct malicious links pointing to HTML documents that, when clicked, would render the targeted document and reflected script...
28 Jan 2011
Defending Websites from XSS attacks with ModSecurity 2.7.3 and OWASP Core Rule Set 2.2.7
Even though cross-site scripting vulnerabilities have a 15-year history, they remain a big problem in the web security space. According to our research, there are hundreds of new issues discovered each month, and at least a few of them are being used in high-severity attacks. The general problem of...
29 Apr 2013
© 2014 Microsoft Corporation.
Privacy & Cookies