Slashdot Mirror


Nasty Data-Stealing Bug Haunts Internet Explorer 8

Trailrunner7 writes "There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way IE8 handles CSS. The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. The upshot of this is that if a victim has visited a given Web site, authenticated himself to the site, and then visits a site controlled by an attacker, the attacker would have the ability to hijack the user's session and extract supposedly confidential data. This attack works on the latest, fully patched release of IE8."

5 of 151 comments (clear)

  1. Let me the first to say..... by Anonymous Coward · · Score: -1, Troll

    ....BWAHAHAHAAAAAAAA!!!

    Internet Explorer: mainlining malicious code into YOUR OS for 30 years, and counting.

  2. Re:What? by 0123456 · · Score: 1, Troll

    People still use MSIE?

    I used it last week on a friend's computer, and was amazed to discover that this product of a multi-billion dollar software company doesn't even support multicolumn rendering or HTML5 video tags. It felt like I'd fallen through a time warp into the 1990s.

  3. Re:News? by Anonymous Coward · · Score: -1, Troll

    This hole is also still unpatched, all Microsoft's fault.

  4. Re:What? by Blakey+Rat · · Score: 0, Troll

    So it doesn't support standards that aren't finished? Wow, how criminal.

    Look, if you're going to blame someone for holding up the web, blame the W3C... it's their job. The only reason HTML5 is going ahead at all is because an outside group did most of the work.

    It's unfair to gripe at Microsoft for not supporting unfinished standards, considering:
    1) How much they got burned by implementing CSS1 early, then having the box model "clarified" out from under them when their implementation was already in released software.
    1) Despite that, they *do* have support for both of those in the next version of the browser due... next month? Or really really soon now.

  5. Re:What? by Blakey+Rat · · Score: -1, Troll

    I guess it would be easy to agree with you if the result hadn't been so destructive to the progress of the whole internet.

    IE's been caught up for like ... 4 years now. They're not holding shit back anymore, and haven't been for a long time.

    Now, companies (and individuals) that refuse to upgrade from IE6-- those are (potentially) holding sites back. But don't blame Microsoft for that! Microsoft's doing everything they can to get people to upgrade, short of sabotaging their own software or weaseling out of support contracts. Depending on your target audience, though, you can probably drop IE6 compatibility-- I mean a lot of large sites like blackberry.com have done that, and it doesn't seem to have hurt them.

    Blame where blame is due.

    I don't understand what you want W3C to do by the way... they've tried the "let's standardize first and wait for implementations later" before and it's failed miserably.

    Yah, we've also tried the: "let's not bother with standards at all and just let browsers do whatever the hell they want" and it worked even *worse*. Or do you simply not remember before IE and Netscape up to about version 5?

    So I guess the question is this: do you want to go back to the IE4/Netscape 4 days? Because that seems to be what you're asking for. Those who don't know history are doomed to repeat it?

    All I want from the W3C is this:
    1) Stop working on pointless, retarded standards that do nothing but waste everybody's time. Like XHTML2. (Fortunately, they've mostly already done this, too bad all those years were wasted on it previously.)
    2) Start moving at the speed everybody else wants them to move at. This they're still bad at-- HTML5 was going great until the W3C got a hold of it, now it's going nowhere slow.

    In short, I want them to MOOOOOOOOVE. There's nothing wrong with what they're doing, it's just so. fucking. slow. They introduce a nice cool feature to CSS3, and it's literally a DECADE until browser makers can implement it. Ridiculous.

    CSS3 has been in the works since 2005. Chrome has gone from "non-existent" to version 6 in that amount of time.

    Look, what it really comes down to is that the only party holding up the web right now is the W3C.

    Chrome, Safari, and to a lesser extent Firefox are busy implementing standards that aren't finalized-- kudos to them, but don't act as if they are "caught up" and IE is "behind". The reality is they are "above and beyond" and IE is "perfectly fine".

    Last time IE tried implementing standards that weren't finished, they got completely fucked over by the W3C, so I can completely understand their reluctance to do it. There's a non-zero chance that Chrome/Safari could be fucked-over by the W3C changing a standard out from under them, as well.