Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Exposes Users To Spoof-Based Attacks

Posted by Zonk on from the fool-me-once dept.

Sotos wrote to mention a C|Net article discussing a new spoof-based attack on Internet Explorer. From the article: " The problem lies in the way Microsoft has implemented a JavaScript component in its Web browser, security researcher Amit Klein wrote in a research document. Internet Explorer does not validate some data fields provided by a PC when the component, called XmlHttpRequest, is used, he wrote. The vulnerability could be exploited with specially crafted code. An attacker could spoof a legitimate Web site, access data from the Web browser's cache or stage a so-called man-in-the-middle attack, which taps into traffic between a user and another Web site, according to Klein's write-up. " Secunia has an alert up on the spoof.

6 of 169 comments (clear)

  1. Re:XMLHttpRequest? What's That? by pe1chl · · Score: 5, Informative

    It is the thingy that powers AJAX

  2. Let the IE/FF comparisons begin by Viper+Daimao · · Score: 5, Informative

    I'll start with the securia site.

    Internet Explorer: Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical...Currently, 20 out of 86 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    FireFox: Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical...Currently, 3 out of 24 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    --
    "In the game of life, someone always has to lose. To me, if life were fair, that someone would always be Oklahoma." -DKR
  3. Re:So what exactly.. by Bogtha · · Score: 3, Informative

    I have to admit that I don't have much experience with IE, but is it really required to use ActiveX to use XMLHTTPRequest in IE? Somehow I got an impression that JavaScript is all that is required... (or ActiveX is used under the hood?)

    You only have to write Javascript to use it, but that doesn't change the fact that the XMLHttpRequest object is provided by ActiveX, and if you switch off ActiveX, XMLHttpRequest stops working.

    This will change in Internet Explorer 7, which implements XMLHttpRequest as a native host object in the same way as other browsers. There's some discussion of this on the IE Blog.

    --
    Bogtha Bogtha Bogtha
  4. Incorrect title by Anonymous Coward · · Score: 4, Informative

    The problem is with the proxy servers, not IE.
    Read the paper

    Yawn...

  5. Re:Cross-Browsing by J-B0nd · · Score: 4, Informative

    Try the IE View Plugin Here: http://ieview.mozdev.org/

  6. Re:You gotta love this part by SoccerManUNLV · · Score: 5, Informative

    I guess you never read the story on ZDnet about a month ago, and MS was "looking into it". Apparently this does work and yet MS dropped the ball again, nothing knew, just expected sooner.