Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Exposes Users To Spoof-Based Attacks

Posted by Zonk on from the fool-me-once dept.

Sotos wrote to mention a C|Net article discussing a new spoof-based attack on Internet Explorer. From the article: " The problem lies in the way Microsoft has implemented a JavaScript component in its Web browser, security researcher Amit Klein wrote in a research document. Internet Explorer does not validate some data fields provided by a PC when the component, called XmlHttpRequest, is used, he wrote. The vulnerability could be exploited with specially crafted code. An attacker could spoof a legitimate Web site, access data from the Web browser's cache or stage a so-called man-in-the-middle attack, which taps into traffic between a user and another Web site, according to Klein's write-up. " Secunia has an alert up on the spoof.

7 of 169 comments (clear)

  1. Crank Up The Flamethrowers by geomon · · Score: 4, Insightful

    Okay, now we spend time generating another 500+ comments discussing how shitty IE's security is and how Firefox isn't much better. Add the other browser users (Opera, Konqueror) and we get another 300+ comments. Throw in the fact that each cross-platform browser runs better in Linux/OSX/BSD, or is emulated better (hence, more secure) through Wine and we generate another 250+ comments.

    Every security announcement is met with the same level of bickering without any resolution in sight. Goggle "Internet Explorer Firefox security comparison" and you get another 1.7 million opinions.

    Will it ever end?

    --
    "Rocky Rococo, at your cervix!"
    1. Re:Crank Up The Flamethrowers by Shut+the+fuck+up! · · Score: 2, Insightful


      Will it ever end?

      If it does, so too will Slashdot.

  2. You gotta love this part by cc-rider-Texas · · Score: 4, Insightful

    Microsoft is unhappy about the way the problem was disclosed. The company urges security researchers to report problems in its products privately so it can provide a fix. "This public disclosure potentially puts computer users at risk," the Microsoft representative said.

    Security through obscurity, yeah right. IMHO this just makes Microsoft get on the ball and do something about the problem rather than putting it on the back burner since "nobody would know about it."

    --
    If you give a liberal an enema, he'll turn transparent.
    1. Re:You gotta love this part by dajobi · · Score: 5, Insightful

      That's not security by obsurity. That's "at least give us a chance to fix it before you tell the crackers." The Mozilla guys tell exactly the same tale.

  3. ActiveX by QuaintRealist · · Score: 4, Insightful

    The fundemental premise of your post is correct - no one flaw proves a browser is "better" than another browser, and flamewars ensue from these flawed comparisons. Nevertheless, there is an underlying problem with IE: ActiveX. This is yet another example of how Microsoft, wanting to "kill" a more open product (Java), has introduced it's own, flawed, "standard" which causes its own problems. In this case, ActiveX is not secure and cannot be made reasonably secure, and this is the problem many of us have with IE.

    --
    Using plain ol' text since 1968
    1. Re:ActiveX by Anonymous Coward · · Score: 1, Insightful

      Thank God a simlar vulnerability could never exist in Firefox

  4. At the heart of it all by elwin_windleaf · · Score: 2, Insightful

    I think that the only reason post like this one garner so much discussion is because the web browser has become (arguably) the most important program on the PC. Not only is it used for certain parts of the operating system, but I'm willing to bet my reputation that almost everyone in those 1000+ comments are using one of the browsers being discussed to discuss.

    Until the web browser evolves or is replaced, this kind of conversation is unavoidable.