Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nasty Data-Stealing Bug Haunts Internet Explorer 8

Posted by Soulskill on from the waiting-for-the-right-tuesday dept.

Trailrunner7 writes "There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way IE8 handles CSS. The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. The upshot of this is that if a victim has visited a given Web site, authenticated himself to the site, and then visits a site controlled by an attacker, the attacker would have the ability to hijack the user's session and extract supposedly confidential data. This attack works on the latest, fully patched release of IE8."

16 of 151 comments (clear)

  1. What? by lennier1 · · Score: 4, Funny

    People still use MSIE?

    1. Re:What? by Beelzebud · · Score: 5, Funny

      At least they get told "sorry, I love you, it won't happen again".

      People using IE don't even get that much!

    2. Re:What? by $RANDOMLUSER · · Score: 3, Funny

      Sure they do: "It's the most secure Windows, ever!".

      --
      No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    3. Re:What? by Blakey+Rat · · Score: 3, Insightful

      Browsers have always supported standards that aren't finished, at least since I started using them in the early 90s; heck, many of the standards themselves co-opted features that browsers had implemented themselves.

      Oh, I agree with you completely. But you can't *blame* them for it.

      The complaint sums to: "they didn't go as much above and beyond as other browsers have."

      --
      Comment of the year
  2. Re:Let me the first to say..... by straponego · · Score: 3, Informative

    Eh, more like 15, but who's counting?

  3. Re:Let me the first to say..... by AnonymousClown · · Score: 5, Funny
    Well, now, using Einstein's time dilation equations and multiplying by the number of years that IE has existed, the internet, the speed of the signals around the net, that 15 years from our perspective is actually 30 by IE's perspective.

    Steve Hawking goes into a little more depth in his new book and Greene actually says String theory supports it too.

    We're on our way to a Unified Theory all thanks to IE and Microsoft.

    --
    RIP America

    July 4, 1776 - September 11, 2001

  4. IE and Microsoft by js3 · · Score: 5, Interesting

    It's a strange thing. It seems the only reason IE exists it to repeated punch microsofts reputation in the face. I'm surprised one executive hasn't gotten so fed up and fired the "IE team" or replaced them with monkeys. I watch Channel 9 and there are some seriously smart people working at this company and yet this one program has done more to harm the company's reputation like no other.

    --
    did you forget to take your meds?
    1. Re:IE and Microsoft by Zixaphir · · Score: 4, Funny

      It's a strange thing. It seems the only reason Ballmer exists it to repeated punch Microsoft's reputation in the face. I'm surprised shareholders haven't gotten so fed up and fired the "Monkey Dance" Ballmer or replaced him with a better monkey. I watch Channel 9 and there are some seriously smart people working at this company and yet this one person has done more to harm the company's reputation like no other.

      --
      "Now I am become Death, the destroyer of worlds"
    2. Re:IE and Microsoft by WrongSizeGlass · · Score: 4, Funny

      I'm surprised one executive hasn't gotten so fed up and fired the "IE team" or replaced them with monkeys.

      Do you have any proof that they haven't been replaced by monkeys?

    3. Re:IE and Microsoft by Nidi62 · · Score: 3, Funny

      Has Microsoft put out any Shakespeare yet? Then there's your proof.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    4. Re:IE and Microsoft by grcumb · · Score: 5, Funny

      Has Microsoft put out any Shakespeare yet? Then there's your proof.

      I dunno, I consider MSIE to be the of the great tragedies of my lifetime....

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  5. Re:About 80% to 85% of all users worldwide... by 93+Escort+Wagon · · Score: 3, Insightful

    Don't let the W3Schools stats confuse you. Those are for a small subset of the comparatively small American market, and thus aren't indicative of the global trends.

    Just keep fiddling while Rome burns, Nero.

    --
    #DeleteChrome
  6. Re:Times change by Blakey+Rat · · Score: 3, Informative

    What year are you from? IE hasn't been used for Windows Update since... well, hell, it was optional even in Windows XP. Going to the site in Vista (almost 4 years old now) or higher just redirects you to the control panel.

    It's not 1998 anymore.

    --
    Comment of the year
  7. So? by Lanteran · · Score: 3, Insightful

    if you're using internet explorer, you deserve every bug you get. If you're in one of those companies that mandates IE or something, company data theft is their fault and their loss. If you're reading slashdot, chances are you know that entering your personal data on one of those computers is probably a bad idea because besides internet explorer, they also more than likely have company monitoring software installed.

    --
    "People don't want to learn linux" hasn't been a valid excuse since '03.
  8. Re:About 80% to 85% of all users worldwide... by Lanteran · · Score: 5, Informative

    actually its only 52% and dropping rapidly. If nothing else, at least MS is having to make a modern standards complaint browser. I for one, don't think it'll be enough to gain back much lost market share, but at least it'll make it easier on us web developers. Source: http://en.wikipedia.org/wiki/Internet_Explorer#Market_adoption_and_usage_share

    --
    "People don't want to learn linux" hasn't been a valid excuse since '03.
  9. Theft, really? by noidentity · · Score: 3, Insightful

    There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site.

    Data theft is easy to detect, just look for missing data. These sound like data spying/eavesdropping attacks, that is, where the attacker is able to monitor all your data without your knowledge. Nowadays it seems that "theft" has come to mean "something I don't like".