Don't miss our 3rd annual HITB Security Conference in Europe featuring keynote speakers Bruce Schneier (BTCounterpane) and Andy Ellis (CSO of Akamai)!

REGISTER NOW
   

Nasty Data-Stealing Bug Haunts Internet Explorer 8

Submitted by hitbsecnews on Sun, 2010-09-05 23:57

There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way that IE 8 handles CSS style sheets.

The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. Mozilla was the last to fix the issue, in July.

But Microsoft has not yet implemented a fix for the vulnerability, and Evans on Friday posted a message to the Full Disclosure mailing list pointing out this fact and linking to a benign demo site. Microsot Security Response Center officials said they are aware of the issue and are investigating it.

Source: 
Threat Post
Tags: 
Security

Contact Us

Hack In The Box

Suite 26.3, Level 26, Menara IMC,
No. 8, Jalan Sultan Ismail,
50250 Kuala Lumpur,
Malaysia

Tel: +603-20394724
Fax: +603-20318359