Microsoft is investigating reports of a new vulnerability in Internet Explorer that could enable an attacker to steal data or wreak havoc on some social networks, according to a public disclosure of the flaw posted to the Full Disclosure mailing list.
This is purely an IE bug; there is no fault on behalf of Twitter and there is no reasonable workaround.
Chris Evans
security researcher
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
A bug affecting Internet Explorer 8 enables an attacker to forward the browser to a malicious website and force the victim to post a message to Twitter or other social networks. The cross-origin attack affects the way a browser handles CSS style sheets. It can hijack a user's authenticated browsing session and steal personal information even if JavaScript is disabled.
The IE flaw was disclosed on the mailing list by Chris Evans, a security researcher who documents security holes he finds during penetration testing, code auditing and black-box analysis.
The cross-origin attack targeting CSS was disclosed in December. Other browser makers including Apple, Google, Mozilla and Opera have since corrected the issue.
"I have been unsuccessful in persuading the vendor to issue a fix," wrote Evans. "This is purely an IE bug; there is no fault on behalf of Twitter and there is no reasonable workaround."
Evans said the vulnerability may have been known since 2008 and likely affects earlier versions of IE. To exploit the vulnerability an attacker needs the victim to click on a link. Evans wrote that in his scenario, shortened URLs could be used and pose a serious problem.
In a post on Twitter, Microsoft acknowledged that it was investigating public reports of a new vulnerability.
DLL load hijacking flaw.
Microsoft has also been addressing reports of a DLL hijacking flaw. The software giant issued an update
to a security advisory last week, warning users to deploy a new tool and an automated fix-it to
temporarily address the issue.
The vulnerability affects applications, including third-party applications, which share files in Windows. The software giant said it would fix the issue in its applications over time. An attacker could use the vulnerability to execute code on a victim's machine, but Microsoft rated the flaw "important" because it would take user interaction. A user would need to click through a series of warnings and dialogs to open a malicious file attempting to exploit the vulnerability, Microsoft said.
~Robert Westervelt