Microsoft is investigating reports of a new vulnerability in Internet Explorer 8 that could enable an attacker to steal data or wreak havoc on some social networks, according to a public disclosure of the flaw posted to the Full Disclosure mailing list.
This is purely an IE bug; there is no fault on behalf of Twitter and there is no reasonable workaround.
The IE flaw was disclosed on the mailing list by Google engineer Chris Evans, a security researcher who documents security holes he finds during penetration testing, code auditing and black-box analysis.
The cross-origin attack targeting CSS was disclosed in December. Other browser makers including Apple, Google, Mozilla and Opera have since corrected the issue.
"I have been unsuccessful in persuading the vendor to issue a fix," Evans said. "This is purely an IE bug; there is no fault on behalf of Twitter and there is no reasonable workaround."
Evans said the vulnerability may have been known since 2008 and likely affects earlier versions of IE. To exploit the vulnerability an attacker needs the victim to click on a link. Evans wrote that in his scenario, shortened URLs could be used and pose a serious problem.
In a post on Twitter, Microsoft acknowledged that it was investigating public reports of a new vulnerability.
DLL load hijacking flaw
Microsoft has also been addressing reports of a DLL hijacking flaw. The software giant issued an update to a security advisory last week, warning users to deploy a new tool and an automated fix to temporarily address the issue.
The vulnerability affects applications, including third-party applications, which share files in Windows. The software giant said it would fix the issue in its applications over time. An attacker could use the vulnerability to execute code on a victim's machine, but Microsoft rated the flaw "important" because it would take user interaction. A user would need to click through a series of warnings and dialogs to open a malicious file attempting to exploit the vulnerability, Microsoft said.