Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Utilizes Google Desktop Search

Posted by Zonk on from the i-knew-that-would-come-back-to-haunt-me dept.

abscondment writes "An error in the way Internet Explorer parses CSS files has been discovered by Matan Gillon of Israel. The flaw can be exploited by any website, and used to access personal information via Google's Desktop Search program. Of course, Google contends that this is a flaw with IE, and not their search software."

6 of 165 comments (clear)

  1. Hm.. Evil Empire vs Company making great products by altoz · · Score: 5, Insightful

    Which do I believe?....

  2. An error in the way IE parses CSS?!?! by Anonymous Coward · · Score: 5, Funny

    I am shocked to learn of this, shocked and dismayed.

  3. Re:Nice submission troll by Anonymous Coward · · Score: 5, Informative

    an see how the Slashbot must suffer over this - its Google, but its a security vulnerability, but its Microsoft, so its OK, but its still Google, so what do we do? Laugh, cry, sell stock?

    According to the zdnet article Firefox and Opera aren't affected - so it really is Microsoft's problem, and independent of google

  4. Re:Hm.. Evil Empire vs Company making great produc by krakelohm · · Score: 5, Funny

    Who's who?

    --
    You are all a bunch of idots.
  5. The bug is in Google's software by sycomonkey · · Score: 5, Funny

    The bug is that it uses IE in the first place.

    --
    --The universe will not be altered by forum threads, even those which are very wry. --Tycho Brahe (Penny Arcade)
  6. Security hole has _nothing_ to do with google! by ArsenneLupin · · Score: 5, Informative
    Folks, RTFA!

    Ok, so the FA is a bit long, so here you have a three sentence summary:

    The exploit allows to read foreign Web pages by abusing a broken security check in the document.stylesheets javascript method.

    The malicious code first loads the page to be snarfed as a CSS into the current document using addImport, and from there into a javascript variable using document.stylesheets. Finally the variable is posted back to the website of the exploiter.

    The google desktop was only cited as an example. But basically any protected web page could have been targetted (a webmail site such as hotmail, any other password-protected page, intranet server not accessible from outside, ...)