You've all probably heard the news by now. The latest iteration of Microsoft's system-integrated web browser—Internet Explorer (IE) 8—is presently suffering from an XSS protection programming bug that can allow grave and server-crippling security assaults against sites that are otherwise safe.

The coding flaw in IE 8 can be taken advantage of by introducing cross-site scripting (XSS for short) errors on websites that are otherwise secure, according to various cyber security institutions that discussed at length just how grave a threat the bug really is. Moreover, the Microsoft Corporation had been informed of the security hole for a couple of months now, they alleged.

In all irony, the programming error originates from a protective measure installed by Microsoft programmers to IE 8 that was developed to stop XSS assaults against websites in the first place. Many IT security experts have come to regard the flawed IE 8 protection script as the browser's version of the Firefox extension known as NoScript, which also helps stop XSS and other types of hacks against Mozilla's bread-and-butter software.

The special IE 8 feature basically works by rewriting susceptible pages using an approach called "output encoding" so that dangerous values and characters are substituted with safer ones. A spokesman from Google has already confirmed that the IE 8 flaw truly exists, but refused to offer specific details on the matter.

It's presently unclear how the protective anti-XSS-exploitation technique could cause websites that are otherwise safe to become susceptible to the ever-ubiquitous cyber assault. According to Michael Coates (Aspect Security's senior application security engineer who has carefully examined the feature but was oblivious of the bug), it may be feasible to force IE 8 to output encode pages in such a manner that the substituted values could trigger a hacker attack on a safe, clean website.

Coates speculates that if a hacker were to figure out the lowdown on IE 8's security hole and create a malicious string that he knows could be made into an actual cyber assault, he could use that vulnerability to input a value that would trigger an attack on a targeted website. Incidentally, an XSS attack is a method by which hackers would commandeer a site's URL in order to inject malicious scripts or code into a trusted site.