OMEN
09-07-2010, 08:30 AM
URL shortening shenanigans
Microsoft is investigating reports of a new bug in Internet Explorer.
Redmond's Security Response Team (MSRT) said on Friday that it was aware of a "publicly disclosed issue involving Internet Explorer", and promised an investigation, without going into details.
Circumstantial evidence suggests Microsoft is referring to a post by security researcher Chris Evans, of Google, to a Full Disclosure mailing list on Friday, hours before MSRT's tweet.
"A nasty vulnerability exists in the latest Internet Explorer 8," Evans wrote. "I have been unsuccessful in persuading the vendor to issue a fix."
"The bug permits — for example — an arbitrary web site to force the victim to make tweets," he added.
The vulnerability may exist in other versions of IE and appears to be an extension of a cross-browser cross domain theft first documented by Evans via his scarybeastsecurity blog last December. Evans claims Microsoft has been aware of the bug since 2008, producing a harmless proof-of-concept exploit to illustrate his concerns.
Rik Ferguson, a senior security consultant at Trend Micro, explained that the exploit works by stealing the (supposedly secret) credentials for an already authenticated browser session, for example Twitter. "Those credentials are then abused to send arbitrary forged content," Ferguson writes.
The vulnerability might just as easily be used by other services that use URL shortening, according to Ferguson, who says that Opera, Chrome, Firefox and Safari have all already fixed this vulnerability.
Register
Microsoft is investigating reports of a new bug in Internet Explorer.
Redmond's Security Response Team (MSRT) said on Friday that it was aware of a "publicly disclosed issue involving Internet Explorer", and promised an investigation, without going into details.
Circumstantial evidence suggests Microsoft is referring to a post by security researcher Chris Evans, of Google, to a Full Disclosure mailing list on Friday, hours before MSRT's tweet.
"A nasty vulnerability exists in the latest Internet Explorer 8," Evans wrote. "I have been unsuccessful in persuading the vendor to issue a fix."
"The bug permits — for example — an arbitrary web site to force the victim to make tweets," he added.
The vulnerability may exist in other versions of IE and appears to be an extension of a cross-browser cross domain theft first documented by Evans via his scarybeastsecurity blog last December. Evans claims Microsoft has been aware of the bug since 2008, producing a harmless proof-of-concept exploit to illustrate his concerns.
Rik Ferguson, a senior security consultant at Trend Micro, explained that the exploit works by stealing the (supposedly secret) credentials for an already authenticated browser session, for example Twitter. "Those credentials are then abused to send arbitrary forged content," Ferguson writes.
The vulnerability might just as easily be used by other services that use URL shortening, according to Ferguson, who says that Opera, Chrome, Firefox and Safari have all already fixed this vulnerability.
Register