Two-year-old data leakage flaw still haunts Internet Explorer

Microsoft's Internet Explorer browser suffers from a data leakage flaw that could could have serious security implications.

The vulnerability, which was reported to Microsoft more than 600 days ago (December 2008), remains unfixed despite multiple efforts by security researchers to highlight the severity of the problem.

Google security researcher Chris Evans, who previously reported a similar flaw in Mozilla Firefox, said this minor flaw can have major headaches:

The bug is specific to Internet Explorer, and still seems unfixed (in stable versions) at the time of writing. I told Microsoft about it back in 2008. Therefore this disclosure is not an 0-day, but more like a 600-day.

The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror handler and then uses < script src="http://www.bank.com/">

Evans posted a demo attack against Google Reader (since blocked) that works by stealing cross-origin content which happens to be an anti-XSRF token.

NOTE: I've asked Microsoft for a response and will update this blog post as necessary.

UPDATE:  It doesn't look like Microsoft is planning to fix this anytime soon. Here is the company's response:

“Microsoft is aware of the public posting of a low severity information disclosure issue in Internet Explorer. A successful attack requires a victim website to be configured in a specific way which is non-standard for most sites. We are not aware of any attacks seeking to exploit this issue and will update customers if that changes.”