Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Exposes Users To Spoof-Based Attacks

Posted by Zonk on from the fool-me-once dept.

Sotos wrote to mention a C|Net article discussing a new spoof-based attack on Internet Explorer. From the article: " The problem lies in the way Microsoft has implemented a JavaScript component in its Web browser, security researcher Amit Klein wrote in a research document. Internet Explorer does not validate some data fields provided by a PC when the component, called XmlHttpRequest, is used, he wrote. The vulnerability could be exploited with specially crafted code. An attacker could spoof a legitimate Web site, access data from the Web browser's cache or stage a so-called man-in-the-middle attack, which taps into traffic between a user and another Web site, according to Klein's write-up. " Secunia has an alert up on the spoof.

38 of 169 comments (clear)

  1. XMLHttpRequest? What's That? by turkeywrap · · Score: 5, Funny

    XMLHttpRequest? Never heard of it.

  2. Crank Up The Flamethrowers by geomon · · Score: 4, Insightful

    Okay, now we spend time generating another 500+ comments discussing how shitty IE's security is and how Firefox isn't much better. Add the other browser users (Opera, Konqueror) and we get another 300+ comments. Throw in the fact that each cross-platform browser runs better in Linux/OSX/BSD, or is emulated better (hence, more secure) through Wine and we generate another 250+ comments.

    Every security announcement is met with the same level of bickering without any resolution in sight. Goggle "Internet Explorer Firefox security comparison" and you get another 1.7 million opinions.

    Will it ever end?

    --
    "Rocky Rococo, at your cervix!"
    1. Re:Crank Up The Flamethrowers by Shut+the+fuck+up! · · Score: 2, Insightful


      Will it ever end?

      If it does, so too will Slashdot.

    2. Re:Crank Up The Flamethrowers by eggoeater · · Score: 5, Funny

      Than add another 100+ comments on your comments on how many comments we have and we'll have even more comments.....

      ...and then theres the comments on the comments on the comments....

      ...no...it will never end....especially after the dup story is posted tomorrow.

      --
      $7.95/mo, 200 GB disk, 2TBxfer, MySQL, PHP, RoR.
    3. Re:Crank Up The Flamethrowers by Anonymous Coward · · Score: 2, Funny

      Let me finish this discussion right here, right now:

      Nazi.

  3. What about by temojen · · Score: 3, Interesting

    Same-source policy? Couldn't this only be used to attack the server that the script came from?

  4. Re:XMLHttpRequest? What's That? by pe1chl · · Score: 5, Informative

    It is the thingy that powers AJAX

  5. You gotta love this part by cc-rider-Texas · · Score: 4, Insightful

    Microsoft is unhappy about the way the problem was disclosed. The company urges security researchers to report problems in its products privately so it can provide a fix. "This public disclosure potentially puts computer users at risk," the Microsoft representative said.

    Security through obscurity, yeah right. IMHO this just makes Microsoft get on the ball and do something about the problem rather than putting it on the back burner since "nobody would know about it."

    --
    If you give a liberal an enema, he'll turn transparent.
    1. Re:You gotta love this part by dajobi · · Score: 5, Insightful

      That's not security by obsurity. That's "at least give us a chance to fix it before you tell the crackers." The Mozilla guys tell exactly the same tale.

    2. Re:You gotta love this part by SoccerManUNLV · · Score: 5, Informative

      I guess you never read the story on ZDnet about a month ago, and MS was "looking into it". Apparently this does work and yet MS dropped the ball again, nothing knew, just expected sooner.

  6. Dupe? by P0ldy · · Score: 5, Funny

    Am I wrong or haven't we seen this story before?

  7. Spoof-based? by Limburgher · · Score: 4, Funny

    So, like, Spaceballs could compromise my boxen?

    --

    You are not the customer.

  8. Re:XMLHttpRequest? What's That? by turkeywrap · · Score: 2, Informative

    I was being just a tad sarcastic.

  9. Here come the pre-packaged sound bites. . . by EraserMouseMan · · Score: 5, Funny

    "Yea, but it hasn't even been exploited yet! It doesn't count unless it's been exploited, right?"

    "I bet there will be a fix out within 24 hours! Exploits don't count if they are fixed quickly, right?"

    "I don't care if they find a thousand exploits; I still won't use IE!"


    Oh, wait . . . I thought the article was about another Firefox exploit. Nevermind.

  10. Re:Oblig by Anonymous Coward · · Score: 5, Funny

    Firefox? I'm using Webwhale, which is much better!

  11. Job security by plopez · · Score: 2, Funny

    If it wouldn't be for MS, most IT web logs would shutdown.

    All the secuity articles guarantee readers and advertisers :)

    --
    putting the 'B' in LGBTQ+
  12. Let the IE/FF comparisons begin by Viper+Daimao · · Score: 5, Informative

    I'll start with the securia site.

    Internet Explorer: Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical...Currently, 20 out of 86 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    FireFox: Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical...Currently, 3 out of 24 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    --
    "In the game of life, someone always has to lose. To me, if life were fair, that someone would always be Oklahoma." -DKR
    1. Re:Let the IE/FF comparisons begin by Metteyya · · Score: 3, Funny

      As with IE - these are not bugs, these are features. You know, Internet Explorer enables browsing the Internet from user's computer and the other way too.

  13. Re:Misquote by sedyn · · Score: 2, Funny

    "When will people get the message?"

    In this case, hopefully before their identity is stolen.

    --
    Am I open minded towards open source, or closed minded towards closed source?
  14. But then we can't access the net by kianu7 · · Score: 3, Funny

    But if we don't use Microsoft products, how will we be able to access the internet? *confused* :)

  15. ActiveX by QuaintRealist · · Score: 4, Insightful

    The fundemental premise of your post is correct - no one flaw proves a browser is "better" than another browser, and flamewars ensue from these flawed comparisons. Nevertheless, there is an underlying problem with IE: ActiveX. This is yet another example of how Microsoft, wanting to "kill" a more open product (Java), has introduced it's own, flawed, "standard" which causes its own problems. In this case, ActiveX is not secure and cannot be made reasonably secure, and this is the problem many of us have with IE.

    --
    Using plain ol' text since 1968
    1. Re:ActiveX by Ucklak · · Score: 2, Informative

      That is one of the best comments about what the problem actually is that I have ever read.

      I would say that the ActiveX and CSS are my two main headaches with IE. The other would be the lack of tabbed browsing but I don't use IE.

      --
      if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
  16. At the heart of it all by elwin_windleaf · · Score: 2, Insightful

    I think that the only reason post like this one garner so much discussion is because the web browser has become (arguably) the most important program on the PC. Not only is it used for certain parts of the operating system, but I'm willing to bet my reputation that almost everyone in those 1000+ comments are using one of the browsers being discussed to discuss.

    Until the web browser evolves or is replaced, this kind of conversation is unavoidable.

  17. No big deal... by Stephen+Samuel · · Score: 4, Funny
    Microsoft doesn't consider spoofed customers to be a problem, so this doesn't classify as a security problem.

    :-}

    (I really do wish it was completely a joke)

    --
    Free Software: Like love, it grows best when given away.
  18. Amateurs... by tktk · · Score: 5, Funny
    I just read the page source and render the pages in my head.

    There's no chance a spoof attack would ever wo.df&^3478adf@$%%

    /*User dead*/

  19. There Goes Someone's Weekend by usacoder · · Score: 3, Funny

    Should be another quiet weekend in Redmond while Microsoft fixes this one.

  20. Re:XMLHttpRequest? What's That? by GweeDo · · Score: 5, Funny

    Active Ingredient: Triclosan
    Other Ingredients: Water, Magnesium and/or Sodium Dodecylbenzenesulfaonate, ammoniym laureth sulfate, Sodium xylenessulfonate, SD alcohol 3-A, Laurel polyglucose, Laurylamidoproptlamine oxide, Magnesium sulfate, Sodium bisulfate, fragrance, Prntasodium pentetate, DNDN Hydantoine, D&C Orange No 4.

    See, see, Triclosan is what powers AJAX!

    --
    Unstable Apps: Our Android Apps Don't Suck
  21. Cross-Browsing by Doc+Ruby · · Score: 2, Interesting

    I use IE only when a page won't open/display/work correctly in Firefox. So I already know (AFAICT) that the page I'm viewing is "really" the page I think it is. I wish there were a plugin that added an "Open Link in IE" context menu item. And even better to somehow add a "Return to Firefox" option that opens a link or reopens a page from IE to Firefox, to get back to Earth from Purgatory.

    --

    --
    make install -not war

    1. Re:Cross-Browsing by J-B0nd · · Score: 4, Informative

      Try the IE View Plugin Here: http://ieview.mozdev.org/

    2. Re:Cross-Browsing by something_wicked_thi · · Score: 2, Informative

      Um, there is. Look for a View in Internet Explorer extension for FF. They did actually release a View in Firefox extension for IE, too, but I don't know if that still exists.

  22. How awful is the IE codebase? by CyricZ · · Score: 4, Interesting

    After recently working with the Mozilla codebase, I'm surprised that flaws aren't found more often. To be honest, it's a very complex beast. Perhaps overly complex. The worst part, however, is the outdated documentation. It displays the sort of attributes that often lead to bugs and security flaws.

    Now, what really interests me is in how horrible the quality of the Internet Explorer code must be for it to run into so many problems. Considering how unappealing Mozilla was, I can't even begin to imagine how absolutely terrible the IE codebase is.

    Perhaps somebody with experience with both could, assuming NDAs don't get in the way, describe how the quality of the two codebases compare.

    --
    Cyric Zndovzny at your service.
  23. Re:So what exactly.. by Bogtha · · Score: 3, Informative

    I have to admit that I don't have much experience with IE, but is it really required to use ActiveX to use XMLHTTPRequest in IE? Somehow I got an impression that JavaScript is all that is required... (or ActiveX is used under the hood?)

    You only have to write Javascript to use it, but that doesn't change the fact that the XMLHttpRequest object is provided by ActiveX, and if you switch off ActiveX, XMLHttpRequest stops working.

    This will change in Internet Explorer 7, which implements XMLHttpRequest as a native host object in the same way as other browsers. There's some discussion of this on the IE Blog.

    --
    Bogtha Bogtha Bogtha
  24. Incorrect title by Anonymous Coward · · Score: 4, Informative

    The problem is with the proxy servers, not IE.
    Read the paper

    Yawn...

  25. Re:XMLHttpRequest? What's That? by serutan · · Score: 2, Informative

    XmlHttpRequest is a for client-side script to submit an http request and receive the results as XML or text. It's pretty cool because you can make a web page behave like a little client-server app, eliminating the need for page refreshes and session state maintenance. The name AJAX was made up recently, but the technique has been around for years, ever since IE4. Microsoft implemented it as an ActiveX object, but Mozilla now supports it natively.

  26. WHAT?!?!? by artemis67 · · Score: 2, Funny

    IE is flawed?

    I don't believe it!!!!

  27. Tin Foil Hat Time!! by JavaRob · · Score: 2, Interesting

    1) Yes, XMLHTTPRequest is that thingy that powers AJAX.

    2) AJAX is that thing that's making it possible to write responsive, platform-independant, server-based apps.

    3) Responsive, platform-independant, server-based apps are those things that are threatening Microsoft's deathgrip on the desktop.

    4) [Apply tinfoil hat if needed] So... perhaps Microsoft inserts a dangerous bug in their XMLHTTPRequest implementation, so that

    5) Microsoft must deploy a security fix that CRIPPLES or limits AJAX...? And

    6) Profit!!

    Hmm.... the mystery unfolds. It's a little wacky, I'll admit, but keep your hats on until you see if anything breaks when the "fix" is deployed. This is fun!

  28. Big deal, you can already spoof any site. by cwolves0 · · Score: 2, Informative

    I fail to see why this is even considered an issue. You can EASILY spoof any website with server-side code and the "attack" is cross-browser.

    The security bulletin talks about how using a specifically formed URL, you can download content from a remote site. I do the same thing all the time with a simple bridge in php:

    httpbridge.php:
    ---------------

    so if you want to get content from google in javascript:

    var A=null;try{A=new ActiveXObject('Msxml2.XMLHTTP');}catch(e){try{A=ne w ActiveXObject('Microsoft.XMLHTTP');}catch(oc){A=nu ll;}}if (!A && typeof XMLHttpRequest!='undefined'){A=new XMLHttpRequest();}
    A.open('GET', 'http://www.yoursite.com/httpbridge.php?url=http:/ /www.google.com', false);
    A.send()
    document.write(A.responseText);

    And now you can do any of the listed attacks in any browser. This is nothing new, lots of people already do it for useful reasons. The most recent use I've found is to pull geocodes.

  29. What;'s funny... by leshert · · Score: 2, Funny

    ...is that stories like this could be duplicates, and you'd never know it.