Microsoft investigates Internet Explorer CSS bug

A flaw in Internet Explorer 8 can enable an attacker to steal data or force the victim to post to Twitter or other social networks.

Microsoft is investigating reports of a new vulnerability in Internet Explorer 8 that could enable an attacker

to steal data or wreak havoc on some social networks, according to a public disclosure of the flaw posted to the Full Disclosure mailing list.

This is purely an IE bug; there is no fault on behalf of Twitter and there is no reasonable workaround.

Chris Evans
security researcher

An Internet Explorer CSS bug enables an attacker to forward the browser to a malicious website and force the victim to post a message to Twitter or other social networks. The cross-origin attack affects the way a browser handles CSS style sheets. It can hijack a user's authenticated browsing session and steal personal information even if JavaScript is disabled.

The IE flaw was disclosed on the mailing list by Google engineer Chris Evans, a security researcher who documents security holes he finds during penetration testing, code auditing and black-box analysis.

The cross-origin attack targeting CSS was disclosed in December. Other browser makers including Apple, Google, Mozilla and Opera have since corrected the issue.

"I have been unsuccessful in persuading the vendor to issue a fix," Evans said. "This is purely an IE bug; there is no fault on behalf of Twitter and there is no reasonable workaround."

Evans said the vulnerability may have been known since 2008 and likely affects earlier versions of IE. To exploit the vulnerability an attacker needs the victim to click on a link. Evans wrote that in his scenario, shortened URLs could be used and pose a serious problem.

In a post on Twitter, Microsoft acknowledged that it was investigating public reports of a new vulnerability.

DLL load hijacking flaw
Microsoft has also been addressing reports of a DLL hijacking flaw. The software giant issued an update to a security advisory last week, warning users to deploy a new tool and an automated fix to temporarily address the issue.

The vulnerability affects applications, including third-party applications, which share files in Windows. The software giant said it would fix the issue in its applications over time. An attacker could use the vulnerability to execute code on a victim's machine, but Microsoft rated the flaw "important" because it would take user interaction. A user would need to click through a series of warnings and dialogs to open a malicious file attempting to exploit the vulnerability, Microsoft said.

~Robert Westervelt

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close