• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

Microsoft Investigates IE CSS Cross-Origin Theft Vulnerability

September 8, 2010

Views: 6,831

There’s a lot of circumstantial evidence surround this as Microsoft themselves haven’t clarified or publicly announced anything related to the CSS Cross-Origin Theft bug – but it seems fairly clear.

Some media sources are quoting it as a ‘new bug‘ – which it isn’t, according to other sources it has been known about for at least 2 years and one paper has traced it back as far as 2002 (PDF file).

Microsoft last Friday said it was looking into a long-known vulnerability in Internet Explorer (IE) that could be used to access users’ data and Web-based accounts.

The bug can allow hackers to hijack Web mail accounts, steal data and send illicit tweets, said Google security engineer Chris Evans in a message posted on the Full Disclosure mailing list. Evans also published a demonstration that showed how the flaw in IE8 could be used to commandeer a user’s Twitter account and send unauthorized tweets.

The vulnerability, known as a “CSS cross-origin theft” bug, has a long history. Researchers at Carnegie Mellon University, who recently published a paper on the subject, have traced it back as far as 2002. Those researchers will present their paper at the Conference on Computer and Communications Security next month. Even so, the flaw received little attention until Evans blogged about it in December 2009. He had submitted a bug report for Chrome eight months earlier.

Microsoft did Tweet about looking into something but haven’t named it although coincidentally it was just a few hours after the public disclosure of this flaw. A point of contention is that this bug has been known about for a long time and has been patched by all the other major browsers including Chrome and Firefox.

Another interesting point is that Chris Evans is actually a Google engineer. Earlier this year Tavis Ormandy went public with a serious flaw in Windows once again stating Microsoft was unwilling to address it.

Although Microsoft has not patched the vulnerability in IE8, other browsers, including Firefox, Chrome, Safari and Opera, have fixed the flaw. Google patched the bug in Chrome last January, while Mozilla did the same in July with Firefox 3.6.7 and Firefox 3.5.11.

IE9 includes a fix for the vulnerability. Microsoft plans to ship a public beta of IE9 on Sept. 15.

On Friday, Evans explained why he was adding to the patch pressure by crafting a proof-of-concept. “I have been unsuccessful in persuading the vendor to issue a fix,” he said of Microsoft.

Microsoft issued a statement Friday saying it was investigating Evans’ reports, but declined to answer questions on Monday, including whether earlier versions of IE were vulnerable or why it has not yet addressed the bug.

“We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” said Jerry Bryant, a group manager with the Microsoft Security Response Center, in the e-mailed statement.

In the case of Tavis Ormandy it was the Windows Help Vulnerability Exploited In The Wild, I expect with this vulnerability going public and with an accompanying proof of concept we may well see this CSS attack in the wild too.

IF you are interested you can see the PoC for the bug here:

http://scary.beasts.org/misc/twitter.html

Source: Network World

Share
Tweet11
Share
Buffer
WhatsApp
Email
11 Shares

Filed Under: Exploits/Vulnerabilities, Windows Hacking Tagged With: IE, IE-security, internet explorer security, internet explorer vulnerability, internet-explorer, internet-explorer-exploit



Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

SUDO_KILLER - Auditing Sudo Configurations for Privilege Escalation Paths

SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Views: 299

sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with … ...More about SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 336

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 531

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Upload_Bypass - Bypass Upload Restrictions During Penetration Testing

Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Views: 517

Upload_Bypass is a command-line tool that automates discovering and exploiting weak file upload … ...More about Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Shell3r - Powerful Shellcode Obfuscator for Offensive Security

Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Views: 707

If antivirus and EDR vendors are getting smarter, so are the tools that red teamers and penetration … ...More about Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Views: 8,958

Introduction: How Much of the Internet Can You See? You're only scratching the surface when you … ...More about Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (227)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (74)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (233)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,292,457)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,075)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,616)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,676)
  • Password List Download Best Word List – Most Common Passwords (933,467)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,137)
  • Hack Tools/Exploits (673,289)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,145)

Search

Recent Posts

  • SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths May 12, 2025
  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025
  • Upload_Bypass – Bypass Upload Restrictions During Penetration Testing May 5, 2025
  • Shell3r – Powerful Shellcode Obfuscator for Offensive Security May 2, 2025
  • Understanding the Deep Web, Dark Web, and Darknet (2025 Guide) April 30, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy