Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Exposes Users To Spoof-Based Attacks

Posted by Zonk on from the fool-me-once dept.

Sotos wrote to mention a C|Net article discussing a new spoof-based attack on Internet Explorer. From the article: " The problem lies in the way Microsoft has implemented a JavaScript component in its Web browser, security researcher Amit Klein wrote in a research document. Internet Explorer does not validate some data fields provided by a PC when the component, called XmlHttpRequest, is used, he wrote. The vulnerability could be exploited with specially crafted code. An attacker could spoof a legitimate Web site, access data from the Web browser's cache or stage a so-called man-in-the-middle attack, which taps into traffic between a user and another Web site, according to Klein's write-up. " Secunia has an alert up on the spoof.

6 of 169 comments (clear)

  1. What about by temojen · · Score: 3, Interesting

    Same-source policy? Couldn't this only be used to attack the server that the script came from?

  2. A quick response to another IE flaw by EosDominus · · Score: 1, Interesting
    I'm sure MS will patch this withing 6 months to a year, so what is everyone worried about??

    Ok, sarcasm off.

    I can't believe the firefox revolution is slowing...

  3. Cross-Browsing by Doc+Ruby · · Score: 2, Interesting

    I use IE only when a page won't open/display/work correctly in Firefox. So I already know (AFAICT) that the page I'm viewing is "really" the page I think it is. I wish there were a plugin that added an "Open Link in IE" context menu item. And even better to somehow add a "Return to Firefox" option that opens a link or reopens a page from IE to Firefox, to get back to Earth from Purgatory.

    --

    --
    make install -not war

  4. How awful is the IE codebase? by CyricZ · · Score: 4, Interesting

    After recently working with the Mozilla codebase, I'm surprised that flaws aren't found more often. To be honest, it's a very complex beast. Perhaps overly complex. The worst part, however, is the outdated documentation. It displays the sort of attributes that often lead to bugs and security flaws.

    Now, what really interests me is in how horrible the quality of the Internet Explorer code must be for it to run into so many problems. Considering how unappealing Mozilla was, I can't even begin to imagine how absolutely terrible the IE codebase is.

    Perhaps somebody with experience with both could, assuming NDAs don't get in the way, describe how the quality of the two codebases compare.

    --
    Cyric Zndovzny at your service.
  5. Firefox has to be brought up now by fak3r · · Score: 1, Interesting

    This is why I have my mom running Firefox on windows, and for those who will say FF has vulns, yes, they do, but with the 'auto-updating' option on 1.5 it will change that view. No one (save for us geeks) want to reinstall software all the time; most of the time if it works, they're not going to upgrade. 1.5 will 'auto-update' the bits to keep the browser secure, and I'm sure it will continue to while the browser moves to 1.6 and beyond.

    --
    fak3r.com
  6. Tin Foil Hat Time!! by JavaRob · · Score: 2, Interesting

    1) Yes, XMLHTTPRequest is that thingy that powers AJAX.

    2) AJAX is that thing that's making it possible to write responsive, platform-independant, server-based apps.

    3) Responsive, platform-independant, server-based apps are those things that are threatening Microsoft's deathgrip on the desktop.

    4) [Apply tinfoil hat if needed] So... perhaps Microsoft inserts a dangerous bug in their XMLHTTPRequest implementation, so that

    5) Microsoft must deploy a security fix that CRIPPLES or limits AJAX...? And

    6) Profit!!

    Hmm.... the mystery unfolds. It's a little wacky, I'll admit, but keep your hats on until you see if anything breaks when the "fix" is deployed. This is fun!