Microsoft investigates years-old IE bug
Only major browser still not patched, says Google security researcher
Computerworld - Microsoft last Friday said it was looking into a long-known vulnerability in Internet Explorer (IE) that could be used to access users' data and Web-based accounts.
The bug can allow hackers to hijack Web mail accounts, steal data and send illicit tweets, said Google security engineer Chris Evans in a message posted on the Full Disclosure mailing list.
The vulnerability, known as a "CSS cross-origin theft" bug, has a long history. Researchers at Carnegie Mellon University, who recently published a paper (download PDF) on the subject, have traced it back as far as 2002. Those researchers will present their paper at the Conference on Computer and Communications Security next month.
Although Microsoft has not patched the vulnerability in IE8, other browsers, including Firefox, Chrome, Safari and Opera, have fixed the flaw. Google patched the bug in Chrome last January, while Mozilla did the same in July with Firefox 3.6.7 and Firefox 3.5.11.
IE9 includes a fix for the vulnerability. Microsoft plans to ship a public beta of IE9 on Sept. 15.
On Friday, Evans explained why he was adding to the patch pressure by crafting a proof-of-concept. "I have been unsuccessful in persuading the vendor to issue a fix," he said of Microsoft.
Microsoft issued a statement Friday saying it was investigating Evans' reports, but declined to answer questions on Monday, including whether earlier versions of IE were vulnerable or why it has not yet addressed the bug.
"We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," said Jerry Bryant, a group manager with the Microsoft Security Response Center, in the e-mailed statement.
Microsoft should not have been surprised by Evans' disclosure. In early August, Evans blogged that IE8 was the "most vulnerable" to the flaw. In that blog, Evans also said he had a proof-of-concept able to appropriate a Web mail account. "It's a nasty attack," Evans said, "E-mail someone a link and if they click it, they are owned with a pure browser cross-origin bug."
This isn't the first time that someone from Google has released information about a bug in Microsoft software after claiming he got the cold shoulder. Earlier this summer, Tavis Ormandy -- like Evans a Google security researcher -- went public with a Windows flaw after he said Microsoft wouldn't commit to a patching deadline. Microsoft disputed Ormandy's account.
Microsoft eventually pushed up the patch date for Ormandy's bug by a month.
On Friday, Bryant reiterated Microsoft's position on early disclosures. "To minimize risk to computer users, Microsoft continues to encourage coordinated vulnerability disclosure," he said, referring to his company's new term for keeping vulnerability information secret until a patch is available.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- IE6: Retired but not dead yet
- Chrome users won't give up, keep pressing Google to restore old-style new tab page
- Google quashes 31 vulnerabilities, restores Metro mode 'steppers' with Chrome 34
- Firefox's UI face-lift on track for April debut
- Ex-Mozilla engineer blames Microsoft's rules for Metro Firefox's death
- Mozilla patches 20 Firefox flaws, plugs Pwn2Own holes
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts