Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Exposes Users To Spoof-Based Attacks

Posted by Zonk on from the fool-me-once dept.

Sotos wrote to mention a C|Net article discussing a new spoof-based attack on Internet Explorer. From the article: " The problem lies in the way Microsoft has implemented a JavaScript component in its Web browser, security researcher Amit Klein wrote in a research document. Internet Explorer does not validate some data fields provided by a PC when the component, called XmlHttpRequest, is used, he wrote. The vulnerability could be exploited with specially crafted code. An attacker could spoof a legitimate Web site, access data from the Web browser's cache or stage a so-called man-in-the-middle attack, which taps into traffic between a user and another Web site, according to Klein's write-up. " Secunia has an alert up on the spoof.

24 of 169 comments (clear)

  1. XMLHttpRequest? What's That? by turkeywrap · · Score: 5, Funny

    XMLHttpRequest? Never heard of it.

  2. Crank Up The Flamethrowers by geomon · · Score: 4, Insightful

    Okay, now we spend time generating another 500+ comments discussing how shitty IE's security is and how Firefox isn't much better. Add the other browser users (Opera, Konqueror) and we get another 300+ comments. Throw in the fact that each cross-platform browser runs better in Linux/OSX/BSD, or is emulated better (hence, more secure) through Wine and we generate another 250+ comments.

    Every security announcement is met with the same level of bickering without any resolution in sight. Goggle "Internet Explorer Firefox security comparison" and you get another 1.7 million opinions.

    Will it ever end?

    --
    "Rocky Rococo, at your cervix!"
    1. Re:Crank Up The Flamethrowers by eggoeater · · Score: 5, Funny

      Than add another 100+ comments on your comments on how many comments we have and we'll have even more comments.....

      ...and then theres the comments on the comments on the comments....

      ...no...it will never end....especially after the dup story is posted tomorrow.

      --
      $7.95/mo, 200 GB disk, 2TBxfer, MySQL, PHP, RoR.
  3. What about by temojen · · Score: 3, Interesting

    Same-source policy? Couldn't this only be used to attack the server that the script came from?

  4. Re:XMLHttpRequest? What's That? by pe1chl · · Score: 5, Informative

    It is the thingy that powers AJAX

  5. You gotta love this part by cc-rider-Texas · · Score: 4, Insightful

    Microsoft is unhappy about the way the problem was disclosed. The company urges security researchers to report problems in its products privately so it can provide a fix. "This public disclosure potentially puts computer users at risk," the Microsoft representative said.

    Security through obscurity, yeah right. IMHO this just makes Microsoft get on the ball and do something about the problem rather than putting it on the back burner since "nobody would know about it."

    --
    If you give a liberal an enema, he'll turn transparent.
    1. Re:You gotta love this part by dajobi · · Score: 5, Insightful

      That's not security by obsurity. That's "at least give us a chance to fix it before you tell the crackers." The Mozilla guys tell exactly the same tale.

    2. Re:You gotta love this part by SoccerManUNLV · · Score: 5, Informative

      I guess you never read the story on ZDnet about a month ago, and MS was "looking into it". Apparently this does work and yet MS dropped the ball again, nothing knew, just expected sooner.

  6. Dupe? by P0ldy · · Score: 5, Funny

    Am I wrong or haven't we seen this story before?

  7. Spoof-based? by Limburgher · · Score: 4, Funny

    So, like, Spaceballs could compromise my boxen?

    --

    You are not the customer.

  8. Here come the pre-packaged sound bites. . . by EraserMouseMan · · Score: 5, Funny

    "Yea, but it hasn't even been exploited yet! It doesn't count unless it's been exploited, right?"

    "I bet there will be a fix out within 24 hours! Exploits don't count if they are fixed quickly, right?"

    "I don't care if they find a thousand exploits; I still won't use IE!"


    Oh, wait . . . I thought the article was about another Firefox exploit. Nevermind.

  9. Re:Oblig by Anonymous Coward · · Score: 5, Funny

    Firefox? I'm using Webwhale, which is much better!

  10. Let the IE/FF comparisons begin by Viper+Daimao · · Score: 5, Informative

    I'll start with the securia site.

    Internet Explorer: Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical...Currently, 20 out of 86 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    FireFox: Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical...Currently, 3 out of 24 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    --
    "In the game of life, someone always has to lose. To me, if life were fair, that someone would always be Oklahoma." -DKR
    1. Re:Let the IE/FF comparisons begin by Metteyya · · Score: 3, Funny

      As with IE - these are not bugs, these are features. You know, Internet Explorer enables browsing the Internet from user's computer and the other way too.

  11. But then we can't access the net by kianu7 · · Score: 3, Funny

    But if we don't use Microsoft products, how will we be able to access the internet? *confused* :)

  12. ActiveX by QuaintRealist · · Score: 4, Insightful

    The fundemental premise of your post is correct - no one flaw proves a browser is "better" than another browser, and flamewars ensue from these flawed comparisons. Nevertheless, there is an underlying problem with IE: ActiveX. This is yet another example of how Microsoft, wanting to "kill" a more open product (Java), has introduced it's own, flawed, "standard" which causes its own problems. In this case, ActiveX is not secure and cannot be made reasonably secure, and this is the problem many of us have with IE.

    --
    Using plain ol' text since 1968
  13. No big deal... by Stephen+Samuel · · Score: 4, Funny
    Microsoft doesn't consider spoofed customers to be a problem, so this doesn't classify as a security problem.

    :-}

    (I really do wish it was completely a joke)

    --
    Free Software: Like love, it grows best when given away.
  14. Amateurs... by tktk · · Score: 5, Funny
    I just read the page source and render the pages in my head.

    There's no chance a spoof attack would ever wo.df&^3478adf@$%%

    /*User dead*/

  15. There Goes Someone's Weekend by usacoder · · Score: 3, Funny

    Should be another quiet weekend in Redmond while Microsoft fixes this one.

  16. Re:XMLHttpRequest? What's That? by GweeDo · · Score: 5, Funny

    Active Ingredient: Triclosan
    Other Ingredients: Water, Magnesium and/or Sodium Dodecylbenzenesulfaonate, ammoniym laureth sulfate, Sodium xylenessulfonate, SD alcohol 3-A, Laurel polyglucose, Laurylamidoproptlamine oxide, Magnesium sulfate, Sodium bisulfate, fragrance, Prntasodium pentetate, DNDN Hydantoine, D&C Orange No 4.

    See, see, Triclosan is what powers AJAX!

    --
    Unstable Apps: Our Android Apps Don't Suck
  17. How awful is the IE codebase? by CyricZ · · Score: 4, Interesting

    After recently working with the Mozilla codebase, I'm surprised that flaws aren't found more often. To be honest, it's a very complex beast. Perhaps overly complex. The worst part, however, is the outdated documentation. It displays the sort of attributes that often lead to bugs and security flaws.

    Now, what really interests me is in how horrible the quality of the Internet Explorer code must be for it to run into so many problems. Considering how unappealing Mozilla was, I can't even begin to imagine how absolutely terrible the IE codebase is.

    Perhaps somebody with experience with both could, assuming NDAs don't get in the way, describe how the quality of the two codebases compare.

    --
    Cyric Zndovzny at your service.
  18. Re:So what exactly.. by Bogtha · · Score: 3, Informative

    I have to admit that I don't have much experience with IE, but is it really required to use ActiveX to use XMLHTTPRequest in IE? Somehow I got an impression that JavaScript is all that is required... (or ActiveX is used under the hood?)

    You only have to write Javascript to use it, but that doesn't change the fact that the XMLHttpRequest object is provided by ActiveX, and if you switch off ActiveX, XMLHttpRequest stops working.

    This will change in Internet Explorer 7, which implements XMLHttpRequest as a native host object in the same way as other browsers. There's some discussion of this on the IE Blog.

    --
    Bogtha Bogtha Bogtha
  19. Incorrect title by Anonymous Coward · · Score: 4, Informative

    The problem is with the proxy servers, not IE.
    Read the paper

    Yawn...

  20. Re:Cross-Browsing by J-B0nd · · Score: 4, Informative

    Try the IE View Plugin Here: http://ieview.mozdev.org/