Microsoft investigates years-old IE bug
Only major browser still not patched, says Google security researcher
Computerworld - Microsoft last Friday said it was looking into a long-known vulnerability in Internet Explorer (IE) that could be used to access users' data and Web-based accounts.
The bug can allow hackers to hijack Web mail accounts, steal data and send illicit tweets, said Google security engineer Chris Evans in a message posted on the Full Disclosure mailing list.
The vulnerability, known as a "CSS cross-origin theft" bug, has a long history. Researchers at Carnegie Mellon University, who recently published a paper (download PDF) on the subject, have traced it back as far as 2002. Those researchers will present their paper at the Conference on Computer and Communications Security next month.
Although Microsoft has not patched the vulnerability in IE8, other browsers, including Firefox, Chrome, Safari and Opera, have fixed the flaw. Google patched the bug in Chrome last January, while Mozilla did the same in July with Firefox 3.6.7 and Firefox 3.5.11.
IE9 includes a fix for the vulnerability. Microsoft plans to ship a public beta of IE9 on Sept. 15.
On Friday, Evans explained why he was adding to the patch pressure by crafting a proof-of-concept. "I have been unsuccessful in persuading the vendor to issue a fix," he said of Microsoft.
Microsoft issued a statement Friday saying it was investigating Evans' reports, but declined to answer questions on Monday, including whether earlier versions of IE were vulnerable or why it has not yet addressed the bug.
"We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," said Jerry Bryant, a group manager with the Microsoft Security Response Center, in the e-mailed statement.
Microsoft should not have been surprised by Evans' disclosure. In early August, Evans blogged that IE8 was the "most vulnerable" to the flaw. In that blog, Evans also said he had a proof-of-concept able to appropriate a Web mail account. "It's a nasty attack," Evans said, "E-mail someone a link and if they click it, they are owned with a pure browser cross-origin bug."
This isn't the first time that someone from Google has released information about a bug in Microsoft software after claiming he got the cold shoulder. Earlier this summer, Tavis Ormandy -- like Evans a Google security researcher -- went public with a Windows flaw after he said Microsoft wouldn't commit to a patching deadline. Microsoft disputed Ormandy's account.
Microsoft eventually pushed up the patch date for Ormandy's bug by a month.
On Friday, Bryant reiterated Microsoft's position on early disclosures. "To minimize risk to computer users, Microsoft continues to encourage coordinated vulnerability disclosure," he said, referring to his company's new term for keeping vulnerability information secret until a patch is available.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts