Two-year-old data leakage flaw still haunts Internet Explorer
Summary: The vulnerability, which was reported to Microsoft more than 600 days ago (December 2008), remains unfixed despite multiple efforts by security researchers to highlight the severity of the problem.
Microsoft's Internet Explorer browser suffers from a data leakage flaw that could could have serious security implications.
The vulnerability, which was reported to Microsoft more than 600 days ago (December 2008), remains unfixed despite multiple efforts by security researchers to highlight the severity of the problem.
Google security researcher Chris Evans, who previously reported a similar flaw in Mozilla Firefox, said this minor flaw can have major headaches:
The bug is specific to Internet Explorer, and still seems unfixed (in stable versions) at the time of writing. I told Microsoft about it back in 2008. Therefore this disclosure is not an 0-day, but more like a 600-day.
The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror handler and then uses < script src="http://www.bank.com/">
Evans posted a demo attack against Google Reader (since blocked) that works by stealing cross-origin content which happens to be an anti-XSRF token.
NOTE: I've asked Microsoft for a response and will update this blog post as necessary.
UPDATE: It doesn't look like Microsoft is planning to fix this anytime soon. Here is the company's response:
“Microsoft is aware of the public posting of a low severity information disclosure issue in Internet Explorer. A successful attack requires a victim website to be configured in a specific way which is non-standard for most sites. We are not aware of any attacks seeking to exploit this issue and will update customers if that changes.”
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: Two-year-old data leakage flaw still haunts Internet Explorer
Words like "serious problem" seem to escape you...
I think he's being facetious
RE: Two-year-old data leakage flaw still haunts Internet Explorer
The words that are relevant here are [i]could could[/i] and before one calls it a "serious" issue one should find out just how this has been exploited and more to the point IF it has been exploited. I'll grant that this is something MS should have fixed sooner rather than later but perhaps it's more of a priority thing where this particular issue is not as much of a priority as others.
Wow, it's like listening to Mac users
This is exactly like listening to the "Macs are invulnerable to (insert type of malware here)" crowd. There is a 600-day old, potentially serious flaw in IE. Despite the fact that IE has had a major version release since the flaw was reported, it's still out there. Where is the upside in this, exactly?
BTW: Yes, I scan for malware on all my Macs as well as my Windows PCs. We need to stop giving these manufacturers a free pass.
RE: Two-year-old data leakage flaw still haunts Internet Explorer
Yes. I noticed the parallel construction. So am I supposed to go "ACK MY HEAD IS ON FIRE" at every OS X exploit? Or am I supposed to go, "Hey, wow man, whatever." for IE exploits.
Because I'm pretty sure my response to these things is consistently "Hmm. Inactive. Okay. Some concern, no crisis. Be glad when it's fixed."
The 600 day thing might be the active ingredient in this story, and, again, I would think that if it had been OS X as the target, I would have also noted the delay as a tad long.
Like I said
RE: Two-year-old data leakage flaw still haunts Internet Explorer
RE: Two-year-old data leakage flaw still haunts Internet Explorer
OK, then your tone of rhetoric effectively obscured your point. My apologies if my reply caused you any distress. My point is that instead of leading with rhetoric, <i>everyone</i> myself included would do better to lead with a thesis. For example "Microsoft must have had higher priority issues" followed by the rest of your post. With the thesis in mind your post reads much more logically, much less fanboy IMHO.
As to your point - I'll agree with you as far as it goes. I still think that with a *major release* thrown in the mix Microsoft *seems to* not be giving this the priority that I think it deserves. My opinion only.
RE: Two-year-old data leakage flaw still haunts Internet Explorer
And this still does not answer the question of IF this issue has actually been exploited and how many people were affected by this issue. For me personally it is simply curiosity as I do not use IE.
RE: Two-year-old data leakage flaw still haunts Internet Explorer
DeusX
RE: Two-year-old data leakage flaw still haunts Internet Explorer
" Bring up the fact that OSX has more vulnerabilities than Windows and they'll point out that it doesn't matter because none of them have been used."
Um, far more likely they will challenge you on your facts. It is a complete misstatement that OSX has more vulnerabilities that Windows. This is a well-beaten path, and I have been down it many times, so knowing full well what your response is going to be (talk about pseudo-ironic) please list your citation that shows that OSX has more vulnerabilities than Windows.
Really?
1280 Vulnerabilities
That is 2010 for OSX. That vulnerability count is higher than Windows.
Yes really
DeusX
Define "long term"
You sound awfully familiar
That's right, you sound just like the Mac Fanbois I used to hang out with in Cyberspace. While they're all getting koobfaced, what will you be doing?
;-)
RE: Two-year-old data leakage flaw still haunts Internet Explorer
RE: Two-year-old data leakage flaw still haunts Internet Explorer