Quite a long time ago I contacted Microsoft regarding what I thought was a XSS vulnerability in IE.
Microsoft disagreed, preferring to call it a ‘feature’.
And this is what I saw yesterday – a compromised site containing a modified GIF file which exploits this XSS vulnerability.
The GIF file contains an embedded iframe pointing to a malicious site. (Thankfully, the site is currently presenting a ‘file not found’ error message.)
Here’s the GIF:
Clicking “view source” doesn’t reveal any malicious code – and this makes a quick analysis of the threat more difficult.
Following this discovery we’ve contacted Microsoft again – hopefully they’ll reconsider their position on this issue.