Microsoft Internet Explorer 8 vulnerability

2010.09.05
Credit: Chris Evans
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Hi, In an attempt to get this bug fixed... A nasty vulnerability exists in the latest Internet Explorer 8. I have been unsuccessful in persuading the vendor to issue a fix. The bug permits -- for example -- an arbitrary web site to force the victim to make tweets. (For academic research purposes only) Harmless example: http://scary.beasts.org/misc/twitter.html This is not weaponized. It won't do anything to your Twitter account unless you press the button. Notes: - This is purely an IE bug; there is no fault on behalf of Twitter and there is no reasonable workaround. - Similar attacks can be mounted against other sites of interest. - There's evidence to suggest that Microsoft has been aware of this since at least 2008. - This could interact unpleasantly with the trust people place in URL shorteners. - This probably affects earlier versions. References: - Public CMU academic paper: http://websec.sv.cmu.edu/css/css.pdf - A less serious variant in all the other major browsers (long since fixed by all of them): http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html Cheers Chris


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top