Slashdot Mirror
Nasty Data-Stealing Bug Haunts Internet Explorer 8
Trailrunner7 writes "There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way IE8 handles CSS. The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. The upshot of this is that if a victim has visited a given Web site, authenticated himself to the site, and then visits a site controlled by an attacker, the attacker would have the ability to hijack the user's session and extract supposedly confidential data. This attack works on the latest, fully patched release of IE8."
People still use MSIE?
I used it last week on a friend's computer, and was amazed to discover that this product of a multi-billion dollar software company doesn't even support multicolumn rendering or HTML5 video tags. It felt like I'd fallen through a time warp into the 1990s.
So it doesn't support standards that aren't finished? Wow, how criminal.
Look, if you're going to blame someone for holding up the web, blame the W3C... it's their job. The only reason HTML5 is going ahead at all is because an outside group did most of the work.
It's unfair to gripe at Microsoft for not supporting unfinished standards, considering:
1) How much they got burned by implementing CSS1 early, then having the box model "clarified" out from under them when their implementation was already in released software.
1) Despite that, they *do* have support for both of those in the next version of the browser due... next month? Or really really soon now.
Comment of the year