I know that it seems like I’m piling on Microsoft lately, but the thing is, when it rains, it pours. I was checking the ZDNet Security pages and came upon a tidbit from Ryan Naraine.
Microsoft’s Internet Explorer browser suffers from a data leakage flaw that could could have serious security implications.
The vulnerability, which was reported to Microsoft more than 600 days ago (December 2008), remains unfixed despite multiple efforts by security researchers to highlight the severity of the problem.
Google security researcher Chris Evans, who previously reported a similar flaw in Mozilla Firefox, said this minor flaw can have major headaches:
The bug is specific to Internet Explorer, and still seems unfixed (in stable versions) at the time of writing. I told Microsoft about it back in 2008. Therefore this disclosure is not an 0-day, but more like a 600-day.
The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror handler and then uses < script src=”http://www.bank.com/”>
Evans posted a demo attack against Google Reader (since blocked) that works by stealing cross-origin content which happens to be an anti-XSRF token.
NOTE: I’ve asked Microsoft for a response and will update this blog post as necessary.
UPDATE: It doesn’t look like Microsoft is planning to fix this anytime soon. Here is the company’s response:
“Microsoft is aware of the public posting of a low severity information disclosure issue in Internet Explorer. A successful attack requires a victim website to be configured in a specific way which is non-standard for most sites. We are not aware of any attacks seeking to exploit this issue and will update customers if that changes.”
So we see more of the “we don’t care enough to fix it” attitude, accompanied by the acknowledgement that it can successfully be exploited with not that much trouble.
This is the scenario when I would take the opposite stand to the one with Mozilla, and not just because it is Microsoft, but because the company is allowing bad code to stand. I can’t stand laziness, and not only was it lazy to not fix their own code, it was lazy to let it sit unanswered this long.
This should be exploited, and Microsoft should receive all the blame it deserves. Another reason that Microsoft should get a full jamming on this is because they have had so much time to fix it, and have probably the largest programming staff in existence.
One thing is for sure, if this is shown to be a problem in Internet Exploder 9, a few heads should roll, with Ballmer’s as the first one.
§
We live in a Newtonian world of Einsteinian physics ruled by Frankenstein logic.
- David Russell
≡≡≡≡≡≡≡≡≡≡ Ḟᴵᴺᴵ ≡≡≡≡≡≡≡≡≡≡
