It seems that IE8 XSS Filter has a bug making otherwise safe sites vulnerable to XSS (if they don't opt-out the feature).

While the Register post is less than informative, this is reported as well by Giorgio Maone. Apparently, the problem roots into the fact that IE8 XSS Filter alters content (when triggered) in a way that can be exploited (charset trick? double escaping?).

I've no idea how the actual exploit works, though (and if it's real or not!), but I'll eventually take a look. Either way, we followed google a couple weeks ago, and opted-out back then when I first posted about the filter (so to be left with just our very own security problems to wonder about :-) ).

This sure sounds bad - like any security bug - but I don't think this alone should be taken as a reason to condemn the IE feature as a whole. This IMO was bound to happen (what software doesn't have bugs?) - what matters here (to me) is what I already pointed out when discussing "politics" earlier about the filter: making such a feature (on the client) an opt-out option for web-developers is not necessarily a good thing.

Here, it clearly means more work for conscious web-developers, in order to deploy a quick opt-out fix. At least, this whole affair may draw more attention to XSS problems, which is a good thing.

Either way, let's wait for Microsoft answer, and eventually, their patch.