Two-year-old data leakage flaw still haunts Internet Explorer

Summary:The vulnerability, which was reported to Microsoft more than 600 days ago (December 2008), remains unfixed despite multiple efforts by security researchers to highlight the severity of the problem.

Microsoft's Internet Explorer browser suffers from a data leakage flaw that could could have serious security implications.

The vulnerability, which was reported to Microsoft more than 600 days ago (December 2008), remains unfixed despite multiple efforts by security researchers to highlight the severity of the problem.

Google security researcher Chris Evans, who previously reported a similar flaw in Mozilla Firefox, said this minor flaw can have major headaches:

follow Ryan Naraine on twitter

The bug is specific to Internet Explorer, and still seems unfixed (in stable versions) at the time of writing. I told Microsoft about it back in 2008. Therefore this disclosure is not an 0-day, but more like a 600-day.

The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror handler and then uses < script src="http://www.bank.com/">

Evans posted a demo attack against Google Reader (since blocked) that works by stealing cross-origin content which happens to be an anti-XSRF token.

NOTE: I've asked Microsoft for a response and will update this blog post as necessary.

UPDATE:  It doesn't look like Microsoft is planning to fix this anytime soon. Here is the company's response:

“Microsoft is aware of the public posting of a low severity information disclosure issue in Internet Explorer. A successful attack requires a victim website to be configured in a specific way which is non-standard for most sites. We are not aware of any attacks seeking to exploit this issue and will update customers if that changes.”

Topics: Security, Browser, Microsoft

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.