Microsoft downplays IE 'cookiejacking' bug
But clickjacking expert Jeremiah Grossman calls cookie hijacking attack 'clever'
Computerworld - Microsoft today downplayed the threat posed by an unpatched vulnerability in all versions of Internet Explorer (IE) that an Italian researchers has shown can be exploited to hijack people's online identities.
The bug, which has been only discussed and not disclosed in detail, was part of an attack technique described by Rosario Valotta, who dubbed the tactic "cookiejacking," a play on "clickjacking," an exploit method first revealed in 2008.
Valotta combined an unpatched bug, or "zero-day," in IE with a twist on the well-known clickjacking tactic to demonstrate how attackers can steal any cookie for any site from users duped into dragging and dropping an object on a malicious Web page.
He had demonstrated the attack at a pair of security conferences in Amsterdam and Zurich earlier this month, then published more information on his blog Monday.
By hijacking site cookies from IE7, IE8 and even IE9, attackers would be able to access victims' Web email, Facebook and Twitter accounts; or impersonate them on critical sites that encrypt traffic, like online banks and retail outlets.
Jeremiah Grossman, founder and CTO of WhiteHat Security, called Valotta's attack "clever" and said he could see hackers taking to it as a fallback to clickjacking, which he and Robert Hansen uncovered and publicized nearly two years ago. "In the event they can't find a cross-site scripting or clickjacking vulnerability, this would be a nice fallback plan for [attackers]," Grossman said.
But MIcrosoft didn't think cookiejacking was much to worry about.
"Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," said Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC). "In order to possibly be impacted, a user must visit a malicious Web site and be convinced to click and drag items around the page in order for the attacker to target a specific cookie from a Web site that the user was previously logged into."
Grossman strongly disagreed.
"I think they're wrong," he said. "Like many esoteric attack techniques, until they've seen it used in the wild, they'll downplay it. It's actually a very simple attack, but it's not technically difficult, so their take is 'Nothing new to see here.'"
Valotta's proof-of-concept attack was relatively simple: He built a Facebook game that baited users with a simple puzzle of an attractive woman, and with it was able to collect dozens of cookies from unsuspecting Facebook users.
"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," Valotta told the Reuters news service this week.
The puzzle required users to drag and drop pieces on the Web page; unbeknownst to the victims, when they did so they actually dragged cookies to a specific spot on the screen where a clickjacking attack captured the data before sending it Valotta.
Valotta said that all versions of IE, including the just-released IE9, on all supported editions of Windows, including XP, Vista and Windows 7, were vulnerable to cookiejacking attacks.
Bryant added that the IE vulnerability was not serious enough to trigger an emergency, or "out-of-band" security update. "We are also not aware of it being used in any active way outside of the demo at [the Amsterdam] Hack in the Box [conference], he said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts