It’s a little bit ironic when the thing that you put in place to protect you from certain attacks, it’s the thing that, in the end, makes you vulnerable to them. Although I can’t imagine the people at Microsoft are finding it funny.
According to the Register (and its unnamed sources from Microsoft), there is a flaw in the latest version of Internet Explorer that enables cross-site scripting errors to be introduced on websites that are in all other respects completely safe. And this flaw is found in the feature Microsoft added to its browser for the specific prevention of this sort of attack.
The protection rewrites vulnerable pages in such a way as to replace the hazardous characters and values with ones that are more secure. There is no definite explanation about the way the flaw is exploited, but it is speculated that the attacker could use the system against itself by creating a string that can be substituted to a value and offer a way to introduce an attack into a page.
Apparently, Microsoft has been aware of the vulnerability for a few months now. They say that, as far as they know, there hasn’t been an attack that takes advantage of the flaw, but that they will issue a patch or give advice as soon as they finish the investigation.
It seems that Google has also been aware of the flaw, because they chose to override the feature on their web properties. When asked to explain it, they said that they know of it and that they disabled it to protect their users, but refrained from further comment.