Microsoft Investigates IE CSS Cross-Origin Theft Vulnerability

The New Acunetix V12 Engine


There’s a lot of circumstantial evidence surround this as Microsoft themselves haven’t clarified or publicly announced anything related to the CSS Cross-Origin Theft bug – but it seems fairly clear.

Some media sources are quoting it as a ‘new bug‘ – which it isn’t, according to other sources it has been known about for at least 2 years and one paper has traced it back as far as 2002 (PDF file).

Microsoft last Friday said it was looking into a long-known vulnerability in Internet Explorer (IE) that could be used to access users’ data and Web-based accounts.

The bug can allow hackers to hijack Web mail accounts, steal data and send illicit tweets, said Google security engineer Chris Evans in a message posted on the Full Disclosure mailing list. Evans also published a demonstration that showed how the flaw in IE8 could be used to commandeer a user’s Twitter account and send unauthorized tweets.

The vulnerability, known as a “CSS cross-origin theft” bug, has a long history. Researchers at Carnegie Mellon University, who recently published a paper on the subject, have traced it back as far as 2002. Those researchers will present their paper at the Conference on Computer and Communications Security next month. Even so, the flaw received little attention until Evans blogged about it in December 2009. He had submitted a bug report for Chrome eight months earlier.

Microsoft did Tweet about looking into something but haven’t named it although coincidentally it was just a few hours after the public disclosure of this flaw. A point of contention is that this bug has been known about for a long time and has been patched by all the other major browsers including Chrome and Firefox.

Another interesting point is that Chris Evans is actually a Google engineer. Earlier this year Tavis Ormandy went public with a serious flaw in Windows once again stating Microsoft was unwilling to address it.

Although Microsoft has not patched the vulnerability in IE8, other browsers, including Firefox, Chrome, Safari and Opera, have fixed the flaw. Google patched the bug in Chrome last January, while Mozilla did the same in July with Firefox 3.6.7 and Firefox 3.5.11.

IE9 includes a fix for the vulnerability. Microsoft plans to ship a public beta of IE9 on Sept. 15.

On Friday, Evans explained why he was adding to the patch pressure by crafting a proof-of-concept. “I have been unsuccessful in persuading the vendor to issue a fix,” he said of Microsoft.

Microsoft issued a statement Friday saying it was investigating Evans’ reports, but declined to answer questions on Monday, including whether earlier versions of IE were vulnerable or why it has not yet addressed the bug.

“We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” said Jerry Bryant, a group manager with the Microsoft Security Response Center, in the e-mailed statement.

In the case of Tavis Ormandy it was the Windows Help Vulnerability Exploited In The Wild, I expect with this vulnerability going public and with an accompanying proof of concept we may well see this CSS attack in the wild too.

IF you are interested you can see the PoC for the bug here:

http://scary.beasts.org/misc/twitter.html

Source: Network World

Posted in: Exploits/Vulnerabilities, Windows Hacking

, , , , ,


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


Comments are closed.