Forgot your password?
typodupeerror
Internet Explorer Firefox Microsoft Security Technology

Nasty Data-Stealing Bug Haunts Internet Explorer 8 151

Posted by Soulskill
from the waiting-for-the-right-tuesday dept.
Trailrunner7 writes "There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way IE8 handles CSS. The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. The upshot of this is that if a victim has visited a given Web site, authenticated himself to the site, and then visits a site controlled by an attacker, the attacker would have the ability to hijack the user's session and extract supposedly confidential data. This attack works on the latest, fully patched release of IE8."
This discussion has been archived. No new comments can be posted.

Nasty Data-Stealing Bug Haunts Internet Explorer 8

Comments Filter:
  • Ie9 ? (Score:1, Interesting)

    by Anonymous Coward on Saturday September 04, 2010 @05:56PM (#33477600)

    how about ie9?

  • Re:What? (Score:1, Interesting)

    by Anonymous Coward on Saturday September 04, 2010 @06:19PM (#33477724)

    I'm as surprised as you. I think only people who have no idea about security use it. And not even more of them.

    Agreed: only people who don't know any better use MSIE. That and MS fanboys. Yes, they all have their vulnerabilities, but experience (12 years worth) tells me that getting off of IE is the first step to getting rid of malware.

  • Re:What? (Score:3, Interesting)

    by $RANDOMLUSER (804576) on Saturday September 04, 2010 @06:19PM (#33477726)

    People still use MSIE?

    Yes, and there are women who stay with abusive husbands because "he said he's sorry, and he loves me, and it'll never happen again".

  • IE and Microsoft (Score:5, Interesting)

    by js3 (319268) on Saturday September 04, 2010 @06:29PM (#33477784)

    It's a strange thing. It seems the only reason IE exists it to repeated punch microsofts reputation in the face. I'm surprised one executive hasn't gotten so fed up and fired the "IE team" or replaced them with monkeys. I watch Channel 9 and there are some seriously smart people working at this company and yet this one program has done more to harm the company's reputation like no other.

  • by Anonymous Coward on Saturday September 04, 2010 @06:44PM (#33477864)

    IE's world-wide market share is currently around 80% to 85% of all web users.

    Alternate browsers have very poor support for properly rendering the text of most Asian languages, while IE has exceptionally good support, so the use of alternate browsers in places like Japan, China, Thailand, Taiwan and the Koreas is virtually unheard of. These markets, which are already far larger than the American or European markets, are still growing.

    Don't let the W3Schools stats confuse you. Those are for a small subset of the comparatively small American market, and thus aren't indicative of the global trends.

  • Re:No way! (Score:3, Interesting)

    by itlurksbeneath (952654) on Saturday September 04, 2010 @10:39PM (#33479092) Journal
    Yeah, but what is surprising is that it has been a known issue for 8 months and still is an issue. Other major browser vendors patched and moved on.
  • Re:Ie9 ? (Score:2, Interesting)

    by symbolset (646467) on Saturday September 04, 2010 @11:40PM (#33479398) Journal
    IE9 may as well be Mac software for most people. It will only work in Windows 7 and Vista.
  • Re:No way! (Score:3, Interesting)

    by hitmark (640295) on Sunday September 05, 2010 @03:12AM (#33480170) Journal

    would not surprise me if some major corporations intraweb (or whatever the term is) package makes use of this as a feature in their design. As such, Microsoft needs to find a way to block the issue without destroying the workings of said package.

Whenever a system becomes completely defined, some damn fool discovers something which either abolishes the system or expands it beyond recognition.

Working...