A security researcher has published information showing that a previously unknown design flaw in Microsoft's Internet Explorer could be used by malicious Web sites to steal sensitive information from IE users' computers.
Israeli hacker Matan Gillon says he's discovered that an unpatched security hole in IE could allow a Web site to see files on the visitor's computer that store data about the user's relationship with other Web sites.
In a detailed analysis published on his Web site, Gillon demonstrates how the hack could be leveraged to steal data on the victim's machine indexed by Google Desktop Search, a free program that allows users to quickly find a variety of files on their computers. The problem is not with Google's software, which contains several built-in security measures to ensure that data cached by its software cannot be read by anyone other than the user.
Gillon's research shows that if an IE user is already logged on to a Web-based service -- such as Gmail or Hotmail, for example -- a malicious Web page could execute certain operations in the user's account, such as opening e-mails and relaying them back to the site's owner for remote viewing.
"This discovery has implications that go far beyond the Google trick," said Tom Liston, a senior analyst for Intelguardians, an information security consulting group in Washington. "Over the next few days I think we’re going to see a lot of people coming out and saying the Google Desktop thing was kinda cool, but that there are far more dangerous implications."
According to Gillon, the hack works because IE does not properly parse cascading style sheet (CSS) files, a Web design language used by thousands of Internet sites.
The exploit demonstrated on Gillon's site works on a fully patched IE browser with default security and privacy settings. Gillon said other browsers, such as Firefox, are sufficiently locked down that the hack doesn't work on them.
This is yet another IE flaw that cannot be exploited if the user disables scripting. (For instructions on how to do that, see this post.) However, given the danger presented by this and other recent discoveries of IE security holes, I would strongly recommend that IE users consider downloading and using another browser, like Firefox, Opera or Netscape. Last month, security researchers released instructions demonstrating how Web sites could use another serious, unpatched, script-related flaw in IE to seize control of computers.
Microsoft said in a statement that it was investigating the problem, saying the exploit detailed by Gillon "could potentially allow an attacker to access content in a separate website if that website is in a specific configuration." The company said it was not aware of any "active attacks or of customer impact," and said it may issue a security advisory on the matter or provide an update through its monthly patch release process to fix the problem.
News of this research was first reported by eWeek, which has a more technical description of how the attack works.
Israeli hacker Matan Gillon says he's discovered that an unpatched security hole in IE could allow a Web site to see files on the visitor's computer that store data about the user's relationship with other Web sites.
In a detailed analysis published on his Web site, Gillon demonstrates how the hack could be leveraged to steal data on the victim's machine indexed by Google Desktop Search, a free program that allows users to quickly find a variety of files on their computers. The problem is not with Google's software, which contains several built-in security measures to ensure that data cached by its software cannot be read by anyone other than the user.
Gillon's research shows that if an IE user is already logged on to a Web-based service -- such as Gmail or Hotmail, for example -- a malicious Web page could execute certain operations in the user's account, such as opening e-mails and relaying them back to the site's owner for remote viewing.
"This discovery has implications that go far beyond the Google trick," said Tom Liston, a senior analyst for Intelguardians, an information security consulting group in Washington. "Over the next few days I think we’re going to see a lot of people coming out and saying the Google Desktop thing was kinda cool, but that there are far more dangerous implications."
According to Gillon, the hack works because IE does not properly parse cascading style sheet (CSS) files, a Web design language used by thousands of Internet sites.
The exploit demonstrated on Gillon's site works on a fully patched IE browser with default security and privacy settings. Gillon said other browsers, such as Firefox, are sufficiently locked down that the hack doesn't work on them.
This is yet another IE flaw that cannot be exploited if the user disables scripting. (For instructions on how to do that, see this post.) However, given the danger presented by this and other recent discoveries of IE security holes, I would strongly recommend that IE users consider downloading and using another browser, like Firefox, Opera or Netscape. Last month, security researchers released instructions demonstrating how Web sites could use another serious, unpatched, script-related flaw in IE to seize control of computers.
Microsoft said in a statement that it was investigating the problem, saying the exploit detailed by Gillon "could potentially allow an attacker to access content in a separate website if that website is in a specific configuration." The company said it was not aware of any "active attacks or of customer impact," and said it may issue a security advisory on the matter or provide an update through its monthly patch release process to fix the problem.
News of this research was first reported by eWeek, which has a more technical description of how the attack works.
By Brian Krebs | December 2, 2005; 03:35 PM ET
Comments