Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Exposes Users To Spoof-Based Attacks

Posted by Zonk on from the fool-me-once dept.

Sotos wrote to mention a C|Net article discussing a new spoof-based attack on Internet Explorer. From the article: " The problem lies in the way Microsoft has implemented a JavaScript component in its Web browser, security researcher Amit Klein wrote in a research document. Internet Explorer does not validate some data fields provided by a PC when the component, called XmlHttpRequest, is used, he wrote. The vulnerability could be exploited with specially crafted code. An attacker could spoof a legitimate Web site, access data from the Web browser's cache or stage a so-called man-in-the-middle attack, which taps into traffic between a user and another Web site, according to Klein's write-up. " Secunia has an alert up on the spoof.

14 of 169 comments (clear)

  1. Re:XMLHttpRequest? What's That? by pe1chl · · Score: 5, Informative

    It is the thingy that powers AJAX

  2. Re:XMLHttpRequest? What's That? by turkeywrap · · Score: 2, Informative

    I was being just a tad sarcastic.

  3. The (first) 'A' in AJAX by mike_sabatino · · Score: 1, Informative

    XmlHttpRequest is the javascript object that allows for asynchronous communication between your web browser and a server located elsewhere on the internet, i.e. the first A in AJAX.

  4. Let the IE/FF comparisons begin by Viper+Daimao · · Score: 5, Informative

    I'll start with the securia site.

    Internet Explorer: Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical...Currently, 20 out of 86 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    FireFox: Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical...Currently, 3 out of 24 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    --
    "In the game of life, someone always has to lose. To me, if life were fair, that someone would always be Oklahoma." -DKR
  5. Re:So what exactly.. by Bogtha · · Score: 3, Informative

    I have to admit that I don't have much experience with IE, but is it really required to use ActiveX to use XMLHTTPRequest in IE? Somehow I got an impression that JavaScript is all that is required... (or ActiveX is used under the hood?)

    You only have to write Javascript to use it, but that doesn't change the fact that the XMLHttpRequest object is provided by ActiveX, and if you switch off ActiveX, XMLHttpRequest stops working.

    This will change in Internet Explorer 7, which implements XMLHttpRequest as a native host object in the same way as other browsers. There's some discussion of this on the IE Blog.

    --
    Bogtha Bogtha Bogtha
  6. Incorrect title by Anonymous Coward · · Score: 4, Informative

    The problem is with the proxy servers, not IE.
    Read the paper

    Yawn...

  7. Re:Cross-Browsing by J-B0nd · · Score: 4, Informative

    Try the IE View Plugin Here: http://ieview.mozdev.org/

  8. Re:You gotta love this part by SoccerManUNLV · · Score: 5, Informative

    I guess you never read the story on ZDnet about a month ago, and MS was "looking into it". Apparently this does work and yet MS dropped the ball again, nothing knew, just expected sooner.

  9. Re:XMLHttpRequest? What's That? by serutan · · Score: 2, Informative

    XmlHttpRequest is a for client-side script to submit an http request and receive the results as XML or text. It's pretty cool because you can make a web page behave like a little client-server app, eliminating the need for page refreshes and session state maintenance. The name AJAX was made up recently, but the technique has been around for years, ever since IE4. Microsoft implemented it as an ActiveX object, but Mozilla now supports it natively.

  10. Re:Cross-Browsing by something_wicked_thi · · Score: 2, Informative

    Um, there is. Look for a View in Internet Explorer extension for FF. They did actually release a View in Firefox extension for IE, too, but I don't know if that still exists.

  11. Re:ActiveX by Ucklak · · Score: 2, Informative

    That is one of the best comments about what the problem actually is that I have ever read.

    I would say that the ActiveX and CSS are my two main headaches with IE. The other would be the lack of tabbed browsing but I don't use IE.

    --
    if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
  12. Re:ActiveX by Anonymous Coward · · Score: 1, Informative

    The Firefox vulnerabilities described in that Secunia page you link to were fixed in version 1.07, which was released two days before the page you link to was written.

    Where is Microsoft's patch for this IE vulnerability?

    I'm sorry, but all you have managed to do is prove, once again, that while open source software certainly does not prevent bugs and security holes, it does do a whole damn lot better than Microsoft at fixing them when they appear.

  13. Re:ActiveX by Anonymous Coward · · Score: 1, Informative

    I think the stuff initiated via COM via ActiveX, even though the programmer is only using JS.

  14. Big deal, you can already spoof any site. by cwolves0 · · Score: 2, Informative

    I fail to see why this is even considered an issue. You can EASILY spoof any website with server-side code and the "attack" is cross-browser.

    The security bulletin talks about how using a specifically formed URL, you can download content from a remote site. I do the same thing all the time with a simple bridge in php:

    httpbridge.php:
    ---------------

    so if you want to get content from google in javascript:

    var A=null;try{A=new ActiveXObject('Msxml2.XMLHTTP');}catch(e){try{A=ne w ActiveXObject('Microsoft.XMLHTTP');}catch(oc){A=nu ll;}}if (!A && typeof XMLHttpRequest!='undefined'){A=new XMLHttpRequest();}
    A.open('GET', 'http://www.yoursite.com/httpbridge.php?url=http:/ /www.google.com', false);
    A.send()
    document.write(A.responseText);

    And now you can do any of the listed attacks in any browser. This is nothing new, lots of people already do it for useful reasons. The most recent use I've found is to pull geocodes.