Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nasty Data-Stealing Bug Haunts Internet Explorer 8

Posted by Soulskill on from the waiting-for-the-right-tuesday dept.

Trailrunner7 writes "There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way IE8 handles CSS. The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. The upshot of this is that if a victim has visited a given Web site, authenticated himself to the site, and then visits a site controlled by an attacker, the attacker would have the ability to hijack the user's session and extract supposedly confidential data. This attack works on the latest, fully patched release of IE8."

5 of 151 comments (clear)

  1. Re:Let me the first to say..... by straponego · · Score: 3, Informative

    Eh, more like 15, but who's counting?

  2. Re:What? by Jorl17 · · Score: 2, Informative

    And yet, I'm pissed off at the fact that they keep saying all over the Web that IE9 kicks other browsers' ass. My family all wants to try the new MS product because of those FUCKING PROMOTIONS.

    --
    Have you heard about SoylentNews?
  3. Re:Times change by Blakey+Rat · · Score: 3, Informative

    What year are you from? IE hasn't been used for Windows Update since... well, hell, it was optional even in Windows XP. Going to the site in Vista (almost 4 years old now) or higher just redirects you to the control panel.

    It's not 1998 anymore.

    --
    Comment of the year
  4. Re:About 80% to 85% of all users worldwide... by Lanteran · · Score: 5, Informative

    actually its only 52% and dropping rapidly. If nothing else, at least MS is having to make a modern standards complaint browser. I for one, don't think it'll be enough to gain back much lost market share, but at least it'll make it easier on us web developers. Source: http://en.wikipedia.org/wiki/Internet_Explorer#Market_adoption_and_usage_share

    --
    "People don't want to learn linux" hasn't been a valid excuse since '03.
  5. Re:What? by Lennie · · Score: 2, Informative

    And still it will not help with this problem.

    This is not an attack where it tried to infect your windows installation or anything like that.

    This is an cross-domain information leakage problem.

    Where someone can get information from domain x by inserting something from domain y and use that to do thing on domain x or do session hijacking.

    Session hijacking would mean if you logged in on some site, someone else from somewhere else can login while you were logged in.

    Come back when you understand web-development.

    --
    New things are always on the horizon