Please create an account to participate in the Slashdot moderation system


Forgot your password?
Internet Explorer Firefox Microsoft Security Technology

Nasty Data-Stealing Bug Haunts Internet Explorer 8 151

Trailrunner7 writes "There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way IE8 handles CSS. The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. The upshot of this is that if a victim has visited a given Web site, authenticated himself to the site, and then visits a site controlled by an attacker, the attacker would have the ability to hijack the user's session and extract supposedly confidential data. This attack works on the latest, fully patched release of IE8."
This discussion has been archived. No new comments can be posted.

Nasty Data-Stealing Bug Haunts Internet Explorer 8

Comments Filter:
  • Ie9 ? (Score:1, Interesting)

    by Anonymous Coward

    how about ie9?

    • You're asking if it's been fixed in an pre-release, unsupported version of IE?

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Isn't that all of them?

    • Re: (Score:2, Interesting)

      by symbolset ( 646467 )
      IE9 may as well be Mac software for most people. It will only work in Windows 7 and Vista.
      • I think you mean that it'll run on every version of windows released in the past 8 years.

  • IE as well know, unpatched security vulnerabilities? Thats so surprising!
    • Re: (Score:3, Interesting)

      Yeah, but what is surprising is that it has been a known issue for 8 months and still is an issue. Other major browser vendors patched and moved on.
      • Re: (Score:3, Interesting)

        by hitmark ( 640295 )

        would not surprise me if some major corporations intraweb (or whatever the term is) package makes use of this as a feature in their design. As such, Microsoft needs to find a way to block the issue without destroying the workings of said package.

  • What? (Score:5, Funny)

    by lennier1 ( 264730 ) on Saturday September 04, 2010 @06:06PM (#33477646)

    People still use MSIE?

    • I'm as surprised as you. I think only people who have no idea about security use it. And not even more of them.
      • Re: (Score:1, Interesting)

        by Anonymous Coward

        I'm as surprised as you. I think only people who have no idea about security use it. And not even more of them.

        Agreed: only people who don't know any better use MSIE. That and MS fanboys. Yes, they all have their vulnerabilities, but experience (12 years worth) tells me that getting off of IE is the first step to getting rid of malware.

        • by smash ( 1351 )

          No, not necessarily. If you have sharepoint (or a million other different legacy apps) in the workplace, IE is a necessity.

          If you want to easily roll out configuration settings in an MS environment, you use IE.

          And given the above, to maintain a sane, controlled, easy to maintain and troubleshoot environment - you roll ONE standard browser and keep that maintained. Anything else = unsupported.

          If you happen to be on Windows, IE is already there anyway. Adding another browser simply means 2 sets of s

          • by Bert64 ( 520050 )

            If one machine gets infected, that infection may spread... If all the workstations are part of a domain and share authentication details it becomes far easier to spread too.

            The fact IE comes by default, and isn't easily removable is even more reason not to use it, it shows that it cant (and never could) stand on its own merit as a browser, they have to use dirty tricks like this to get people to use it.

        • Its possible that it stops malware because when you switch them to a new browser, all the crappy insecure plugins arent switched over (java, acrobat, flash, quicktime) unless you reinstall them.

          Im all for lambasting IE8 for the awful awful browser it is, but lets lay blame where its deserved-- most malware is plugin-induced.
      • I use FF as my everyday browser, but I can tell you there are plenty of corporate portals, etc. I have to deal with that only render properly in IE. I'm not defending the practice, and I think anyone who deliberately codes a page that breaks standards should be shot, but that doesn't change the fact I have to use IE (and hence windows) at various times throughout the week.
      • There have been a bunch of vulnerabilities that were rendered completely ineffective by IE's protected mode which, I think, is still unmatched by other browsers. I think IE has evened the game up a lot now, and there's a reasonable argument that since IE is pretty much forced to be on the computer anyway you are best limiting the surface area of attack by not installing any more browsers or other software that you don't need.

        Now, as it happens, IE is so much more unpleasant to use (mainly speed, but other

        • by smash ( 1351 )

          +1 to this. All our new office machines are Windows 7 64 bit with IE8 in protected mode, and sites locked down into security zones. IE 8 is a mandatory install on all the old XP boxes.

          And yes, javascript performance (and web performance in IE8 in general) is pretty abysmal, but IE is already there, and installing anything else in addition to that is simply increasing your exposure, configuration and patch maintenance, etc.

          • Re: (Score:3, Informative)

            by Lennie ( 16154 )

            And still it will not help with this problem.

            This is not an attack where it tried to infect your windows installation or anything like that.

            This is an cross-domain information leakage problem.

            Where someone can get information from domain x by inserting something from domain y and use that to do thing on domain x or do session hijacking.

            Session hijacking would mean if you logged in on some site, someone else from somewhere else can login while you were logged in.

            Come back when you understand web-development.

            • by smash ( 1351 )

              Did I say it would help with this particular problem? No, it won't. However security problems are NOT exclusive to IE, and there is plenty you can to do mitigate issues that you can't easily do with other browsers.

              Come back when you understand application security.

              • by Lennie ( 16154 )

                OK, the way I put it, I was being an asshole.

                But the point was, it did not apply. And you mentioned you didn't want it to.

                Fine, I'll shut up about it.

          • by Bert64 ( 520050 )

            So people will make do with an inferior browser, because its more efficient than the only other alternative of having an inferior browser *AND* a better one at the same time. Does that not sound extremely stupid to anyone else?

            So basically the most secure configuration of windows is still weaker than that of any other platform.

            Glad i don't use windows, and can therefore have only the browser(s) i want installed and can easily remove anything which is unwanted therefore having even less exposure, configurati

    • Re: (Score:2, Troll)

      by 0123456 ( 636235 )

      People still use MSIE?

      I used it last week on a friend's computer, and was amazed to discover that this product of a multi-billion dollar software company doesn't even support multicolumn rendering or HTML5 video tags. It felt like I'd fallen through a time warp into the 1990s.

      • Don't be surprised. It took them long enough to finally interpret the alpha information stored in PNG images.

      • Re: (Score:3, Informative)

        by Jorl17 ( 1716772 )
        And yet, I'm pissed off at the fact that they keep saying all over the Web that IE9 kicks other browsers' ass. My family all wants to try the new MS product because of those FUCKING PROMOTIONS.
        • Re: (Score:2, Insightful)

          by Anonymous Coward
          Welcome to the world of marketing. Contrary to popular opinion, advertisement works.
        • Re: (Score:3, Insightful)

          by Firehed ( 942385 )

          As a web app developer, I welcome IE9 with open arms. I'm certainly not going to be switching to it for personal use, but it promises to at least catch IE up with the browsers of three years ago.

          Perfect? Not even close. Acceptable? Sure. Any time I spend fighting with it will be over minor CSS3 graphical enhancements, not basic rendering. And yes, I'd prefer if MS just bit the bullet and switched to an open rendering platform like Webkit, but if IE9 ends up living up to the claims, it's as good as I can ho

          • by smash ( 1351 )

            Ditto. However I think microsoft are trapped by their own success. There is that much legacy content out there on corporate intranets, etc that they can't change rendering engines. They need to keep all the old cruft in there so that they can fall back to IE6 mode to render content generated by their own software (eg, sharepoint, etc) properly.

            I'm certainly looking forward to IE9 as it means I'll have a half-decent standards compliant (or certainly better than current) browser that I can lock down wit

            • by Bert64 ( 520050 )

              Don't rely on group policy to "lock down" anything, the best you can hope for with group policy is to distribute a set of defaults... DO NOT rely on it for any kind of security whatsoever.

    • Re: (Score:3, Interesting)

      People still use MSIE?

      Yes, and there are women who stay with abusive husbands because "he said he's sorry, and he loves me, and it'll never happen again".

    • by Anonymous Coward

      IE's world-wide market share is currently around 80% to 85% of all web users.

      Alternate browsers have very poor support for properly rendering the text of most Asian languages, while IE has exceptionally good support, so the use of alternate browsers in places like Japan, China, Thailand, Taiwan and the Koreas is virtually unheard of. These markets, which are already far larger than the American or European markets, are still growing.

      Don't let the W3Schools stats confuse you. Those are for a small subset of

    • by haruchai ( 17472 )

      Which twat modded this Flamebait? Mod it Funny, twat or don't mod it at all.

  • Bummer (Score:3, Funny)

    by symbolic ( 11752 ) on Saturday September 04, 2010 @06:13PM (#33477698)

    I just upgraded to IE 8 yesterday to verify a support issue.

  • Times change (Score:2, Insightful)

    by oldhack ( 1037484 )

    Can't remember the last time I fired up IE (I do have IE8 installed).

    Kudos to FF team. Thank god I don't work on webapps anymore.

  • IE and Microsoft (Score:5, Interesting)

    by js3 ( 319268 ) on Saturday September 04, 2010 @06:29PM (#33477784)

    It's a strange thing. It seems the only reason IE exists it to repeated punch microsofts reputation in the face. I'm surprised one executive hasn't gotten so fed up and fired the "IE team" or replaced them with monkeys. I watch Channel 9 and there are some seriously smart people working at this company and yet this one program has done more to harm the company's reputation like no other.

    • by Zixaphir ( 845917 ) <{Jinira} {at} {}> on Saturday September 04, 2010 @07:12PM (#33478002) Homepage
      It's a strange thing. It seems the only reason Ballmer exists it to repeated punch Microsoft's reputation in the face. I'm surprised shareholders haven't gotten so fed up and fired the "Monkey Dance" Ballmer or replaced him with a better monkey. I watch Channel 9 and there are some seriously smart people working at this company and yet this one person has done more to harm the company's reputation like no other.
    • by WrongSizeGlass ( 838941 ) on Saturday September 04, 2010 @07:43PM (#33478146)

      I'm surprised one executive hasn't gotten so fed up and fired the "IE team" or replaced them with monkeys.

      Do you have any proof that they haven't been replaced by monkeys?

    • Re: (Score:3, Insightful)

      by drolli ( 522659 )

      Well - you know the big fight they posed about "IE being a core part of Windows". And i guess a selling point for large administrations was "working together very well with the OS" and "supporting you old web applications with active X as long as you want". Yeah sure.

      Go to your customers with 10000 licences of Windows (and 10000 licenses of MS Office) and tell them in the face: "Sorry guys, we know we said IE would be working forever and especially well with windows, but you know, we cant afford that team a

    • It's a strange thing. It seems the only reason IE exists it to repeated punch microsofts reputation in the face.

      I question why they bother with a browser at all. What do they really gain from it? Wouldn't the money they spend on IE be better spent on the core OS?

  • by Anonymous Coward

    why fix it?

  • So? (Score:3, Insightful)

    by Lanteran ( 1883836 ) on Saturday September 04, 2010 @07:33PM (#33478094) Homepage Journal
    if you're using internet explorer, you deserve every bug you get. If you're in one of those companies that mandates IE or something, company data theft is their fault and their loss. If you're reading slashdot, chances are you know that entering your personal data on one of those computers is probably a bad idea because besides internet explorer, they also more than likely have company monitoring software installed.
    • by smash ( 1351 )
      This is why you put a content filtering firewall in front of it. As is a good idea to protect the average "blue E = teh intarwebs!!" luser, irrespective of browser selection.
      • by Lennie ( 16154 )

        You policy has to be really strict to have that filtering filewall work against these kind of cross-domain exploits.

        I know it might be to much to ask for people to read the article and understand what issue it is about. This is slashdot after all...

        • by smash ( 1351 )
          Again, I'm talking about browser security in general terms, not this specific incident. There will always be specific incidents that fall through the cracks, and IE (when properly configured), Firefox, Safari, etc are not so different in that regard.
          • by smash ( 1351 )
            Plus... ie is already installed. Installing a second browser means you have TWO potential vectors for intrustion to secure and maintain...
    • by thijsh ( 910751 )

      If you're using internet explorer, you deserve every known bug that M$ neglects to patch for a long long time.

      FTFY. All mayor browsers except Opera suffered from this attack vector, but all others patched it fairly fast. This isn't a problem with bugs, this is a problem with the patching of those bugs, and M$ shows how little they care for customers every day they leave exposing bugs like this and many others [] unpatched for *years*.

  • We always hear about "sites controlled by an attacker", any one have a daily updating list of compromised sites?
    • Re: (Score:3, Funny)

      by a_n_d_e_r_s ( 136412 )

      Yes there is sites out there where the company behind them send out software that infect your computer and causes it to become open for anyone to take over.

      Some of them even pretend to do useful things for you like pretending to be a way to secure your computer from nasty attacks.

      For one nasty example check out this site: []

  • God's ten commandments aren't adhered to ... well at least a major subset of them. How can you expect the rest of the population to listen to administrators when they suggest "don't use IE"?

  • Theft, really? (Score:4, Insightful)

    by noidentity ( 188756 ) on Sunday September 05, 2010 @12:32AM (#33479632)

    There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site.

    Data theft is easy to detect, just look for missing data. These sound like data spying/eavesdropping attacks, that is, where the attacker is able to monitor all your data without your knowledge. Nowadays it seems that "theft" has come to mean "something I don't like".

I've noticed several design suggestions in your code.