A recently added protection mechanism in IE8, intended to protect websites from cross-site scripting attacks, has ironically been revealed to contain a design flaw that would potentially allow the exact opposite. According to The Register, this flaw enables cross-site scripting errors to be introduced on websites that are otherwise completely safe by rewriting pages using a technique known as output encoding.
There is no definite explanation as how the flaw is exploited, but it is speculated that the attacker could use the XSS protection of Internet Explorer 8 against itself by manipulating the server's response, creating a string he knows will be substituted to a certain value and offer a way to introduce an attack into a page.
Microsoft is currently investigating the vulnerability and promised to take appropriate action, but claims they have received no reports of it being actively exploited in the wild. Other sites, such as Google, indicated they were taking the threat seriously and have taken steps to avoid being compromised.