Monday, September 6, 2010

Nasty Data-Stealing Bug Haunts Internet Explorer 8

Via -

There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way that IE 8 handles CSS style sheets.

The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. Mozilla was the last to fix the issue, in July.

But Microsoft has not yet implemented a fix for the vulnerability, and Evans on Friday posted a message to the Full Disclosure mailing list pointing out this fact and linking to a benign demo site. Microsoft Security Response Center officials said they are aware of the issue and are investigating it.


Three researchers at Carnegie Mellon University have published a paper on this attack--to which Evans contributed--and lay out a client-side defense against it. The defense calls for browsers to enforce the content-type checking for style sheets that are loaded from other sites. The authors stipulate that strict enforcement of this policy can break a very small number of sites, so a less-strict version also is detailed in the paper.

The defense has been adopted in one for or another by Google Chrome, Mozilla Firefox, Apple Safari and Opera.

Evans said in his Full Disclosure message that he decided to post it as a way to encourage Microsoft to fix the problem. "I have been unsuccessful in persuading the vendor to issue a fix.," he wrote.

Last month, Evans said that the bug itself might have been known in the attacker community since 2008.

"That's a dangerously long time for such a bug to be live and known by hackers.," he wrote. "Browsers are complicated pieces of software and will always have bugs. Time-to-fix therefore matters for a browser. If security is a factor in your browser choice, I recommend you look at Opera or Chrome. These browsers fixed this bug the fastest."


Mozilla rated the issue "Moderate" (2 out of 4) for Firefox in Security Advisory 2010-46.

Danish computer security, Secunia, has rated the issue as "Less Critical" (2 out of 5). The vulnerability is confirmed in Internet Explorer 6, 7, and 8 on a fully patched Windows XP SP3. Other versions may also be affected -

No comments:

Post a Comment