Two-year-old data leakage flaw still haunts Internet Explorer

Two-year-old data leakage flaw still haunts Internet Explorer

Summary: The vulnerability, which was reported to Microsoft more than 600 days ago (December 2008), remains unfixed despite multiple efforts by security researchers to highlight the severity of the problem.

SHARE:
25

Microsoft's Internet Explorer browser suffers from a data leakage flaw that could could have serious security implications.

The vulnerability, which was reported to Microsoft more than 600 days ago (December 2008), remains unfixed despite multiple efforts by security researchers to highlight the severity of the problem.

Google security researcher Chris Evans, who previously reported a similar flaw in Mozilla Firefox, said this minor flaw can have major headaches:follow Ryan Naraine on twitter

The bug is specific to Internet Explorer, and still seems unfixed (in stable versions) at the time of writing. I told Microsoft about it back in 2008. Therefore this disclosure is not an 0-day, but more like a 600-day.

The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror handler and then uses < script src="http://www.bank.com/">

Evans posted a demo attack against Google Reader (since blocked) that works by stealing cross-origin content which happens to be an anti-XSRF token.

NOTE: I've asked Microsoft for a response and will update this blog post as necessary.

UPDATE:  It doesn't look like Microsoft is planning to fix this anytime soon. Here is the company's response:

“Microsoft is aware of the public posting of a low severity information disclosure issue in Internet Explorer. A successful attack requires a victim website to be configured in a specific way which is non-standard for most sites. We are not aware of any attacks seeking to exploit this issue and will update customers if that changes.”

Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

25 comments
Log in or register to join the discussion
  • RE: Two-year-old data leakage flaw still haunts Internet Explorer

    Its not a problem if there are no exploits. Maybe the report got lost in a pile of emails. And as you said, its a minor bug. Probably get fixed in IE9. Its only minor.
    Loverock Davidson
    • Words like "serious problem" seem to escape you...

      Ah well, nothing new from you, or from Microsoft.
      zkiwi
      • I think he's being facetious

        That type of thought is what OSX and Linux users give when somebody points out any vulnerability or flaw in their OS of choice or their program of choice.
        Michael Alan Goff
      • RE: Two-year-old data leakage flaw still haunts Internet Explorer

        @zkiwi [b]Microsoft?s Internet Explorer browser suffers from a data leakage flaw that could could have serious security implications.[/b]

        The words that are relevant here are [i]could could[/i] and before one calls it a "serious" issue one should find out just how this has been exploited and more to the point IF it has been exploited. I'll grant that this is something MS should have fixed sooner rather than later but perhaps it's more of a priority thing where this particular issue is not as much of a priority as others.
        athynz
      • Wow, it's like listening to Mac users

        @athynz
        This is exactly like listening to the "Macs are invulnerable to (insert type of malware here)" crowd. There is a 600-day old, potentially serious flaw in IE. Despite the fact that IE has had a major version release since the flaw was reported, it's still out there. Where is the upside in this, exactly?

        BTW: Yes, I scan for malware on all my Macs as well as my Windows PCs. We need to stop giving these manufacturers a free pass.
        use_what_works_4_U
      • RE: Two-year-old data leakage flaw still haunts Internet Explorer

        @my fellow tier 3ers
        Yes. I noticed the parallel construction. So am I supposed to go "ACK MY HEAD IS ON FIRE" at every OS X exploit? Or am I supposed to go, "Hey, wow man, whatever." for IE exploits.

        Because I'm pretty sure my response to these things is consistently "Hmm. Inactive. Okay. Some concern, no crisis. Be glad when it's fixed."

        The 600 day thing might be the active ingredient in this story, and, again, I would think that if it had been OS X as the target, I would have also noted the delay as a tad long.
        DannyO_0x98
      • Like I said

        I think he's just picking at that logic used by Mac Fanboys.
        Michael Alan Goff
      • RE: Two-year-old data leakage flaw still haunts Internet Explorer

        @macadam I never said there was an upside to this nor am I giving MS some sort of free pass - I AM saying (and said) that perhaps this is not as much of a priority as other issues that they have...
        athynz
      • RE: Two-year-old data leakage flaw still haunts Internet Explorer

        @athynz
        OK, then your tone of rhetoric effectively obscured your point. My apologies if my reply caused you any distress. My point is that instead of leading with rhetoric, <i>everyone</i> myself included would do better to lead with a thesis. For example "Microsoft must have had higher priority issues" followed by the rest of your post. With the thesis in mind your post reads much more logically, much less fanboy IMHO.

        As to your point - I'll agree with you as far as it goes. I still think that with a *major release* thrown in the mix Microsoft *seems to* not be giving this the priority that I think it deserves. My opinion only.
        use_what_works_4_U
      • RE: Two-year-old data leakage flaw still haunts Internet Explorer

        @macadam So first you compare me to a mac fanboi (which I find really amusing) and now you are criticizing the way I write? You sir must have a lot of time on your hands. Or perhaps I should have led with my theory that you have a lot of time on your hands followed by why I formulated the theory.

        And this still does not answer the question of IF this issue has actually been exploited and how many people were affected by this issue. For me personally it is simply curiosity as I do not use IE.
        athynz
      • RE: Two-year-old data leakage flaw still haunts Internet Explorer

        @goff256<br>LD is incapable of being facetious. He is even incapable of understanding the concept.<br>That said, please point to a single instance where OSX and Linux users give this excuse. While it makes a convenient straw man argument, it is both not generally true, and indicates that perhaps you are misunderstanding their argument.<br>If it is an argument about malware, then the fact that there are no active exploits IS a highly relevant response. If the discussion is security, and OS vulnerability, then it is only partially so.<br>There are multiple levels involved, so there is not enough information here either way to reach a conclusion re: MS' priorities.
        DeusXMachina
      • DeusX

        Bring up the fact that OSX has more vulnerabilities than Windows and they'll point out that it doesn't matter because none of them have been used.
        Michael Alan Goff
      • RE: Two-year-old data leakage flaw still haunts Internet Explorer

        @goff256
        " Bring up the fact that OSX has more vulnerabilities than Windows and they'll point out that it doesn't matter because none of them have been used."

        Um, far more likely they will challenge you on your facts. It is a complete misstatement that OSX has more vulnerabilities that Windows. This is a well-beaten path, and I have been down it many times, so knowing full well what your response is going to be (talk about pseudo-ironic) please list your citation that shows that OSX has more vulnerabilities than Windows.
        DeusXMachina
      • Really?

        147 Secunia advisories
        1280 Vulnerabilities

        That is 2010 for OSX. That vulnerability count is higher than Windows.
        Michael Alan Goff
      • Yes really

        @goff256<br><br>You apparently do not understand the Secunia numbers. First, it is interesting to note that Secunia STILL does not provide an unpatched vulnerabilities section, like they do for alll versions of Windows. Without this data, the numbers are without context.<br>More importantly, please delineate the breakdown of vulnerabilities between OSX Leopard vs. Snow Leopard. What, you say, there is not data available to do that, because Secunia lumps all versions of OSX together, unlike with Windows, where each version has its numbers broken out into a separate page?<br>Try taking that into account, and adding up the numbers. Your conclusion is NOT supported by the data.
        DeusXMachina
      • DeusX

        That's likely only 10.4-10.6 at best, as Apple isn't known for their long term support for anything they make.
        Michael Alan Goff
      • Define "long term"

        Or is this another fallacy dreamed up by a narrow-minded shill?
        ahh so
    • You sound awfully familiar

      @Loverock Davidson
      That's right, you sound just like the Mac Fanbois I used to hang out with in Cyberspace. While they're all getting koobfaced, what will you be doing?

      ;-)
      use_what_works_4_U
    • RE: Two-year-old data leakage flaw still haunts Internet Explorer

      @Loverock Davidson right up until someone decides to exploit it, which should be pretty soon now....
      nickdangerthirdi@...
    • RE: Two-year-old data leakage flaw still haunts Internet Explorer

      @goff256<br><br>"That's likely only 10.4-10.6 at best, as Apple isn't known for their long term support for anything they make."<br><br>This statement is triply misinformed/foolish. First, Apple has no connection to Secunia, so whatever Apple's track record is vis-a-vis support of legacy products is WHOLLY irrelevant. Second, and more to the point, there is NO reason to suppose Secunia is limiting it to Tiger and above, but even if they were, the numbers don't add up in your favour, as this would then include vulnerabilities corresponding to XP-Win7.<br>Third, you CLEARLY know next to nothing about Apple and Apple support of legacy products. Instead, you are just parrotting what you read online somewhere. In fact, Apple continues to support a wide range of legacy products, long after MS abandoned contemporary rivals. Panther and Puma continue to this day to get security updates, PPC is still supported, etc..<br>If you want this claim to be accepted, perhaps you should back it up with some examples of actual products supposedly abandoned by Apple.
      DeusXMachina