寄件者: David Perry (MKT-US)
傳送日期: Wednesday, September 08, 2010 12:39:41 AM
主旨: ::NEWSBANK:: MS probes mystery IE bug
MS probes mystery IE bug
URL shortening shenanigans
By John Leyden
Posted in Applications, 6th September 2010 15:28 GMT
Microsoft is investigating reports of a new bug in Internet Explorer.
Redmond's Security Response Team (MSRT) said on Friday that it was aware of a "publicly disclosed issue involving Internet Explorer", and promised an investigation, without going into details.
Circumstantial evidence suggests Microsoft is referring to a post by security researcher Chris Evans, of Google, to a Full Disclosure mailing list on Friday, hours before MSRT's tweet.
"A nasty vulnerability exists in the latest Internet Explorer 8," Evans wrote. "I have been unsuccessful in persuading the vendor to issue a fix."
"The bug permits — for example — an arbitrary web site to force the victim to make tweets," he added.
The vulnerability may exist in other versions of IE and appears to be an extension of a cross-browser cross domain theft first documented by Evans via his scarybeastsecurity blog last December. Evans claims Microsoft has been aware of the bug since 2008, producing a harmless proof-of-concept exploit to illustrate his concerns.
Rik Ferguson, a senior security consultant at Trend Micro, explained that the exploit works by stealing the (supposedly secret) credentials for an already authenticated browser session, for example Twitter. "Those credentials are then abused to send arbitrary forged content," Ferguson writes.
The vulnerability might just as easily be used by other services that use URL shortening, according to Ferguson, who says that Opera, Chrome, Firefox and Safari have all already fixed this vulnerability.
A huge row kicked off back in June when another Google researcher, Tavis Ormandy, posted details of a Windows XP Help Center bug. Ormandy had given Microsoft just five days to fix the bug before going public. The incident reignited the long-running debate about the disclosure of security vulnerabilities, with spirited defences of their positions from both the full and
responsible co-ordinated disclosure camps.
In the latest case, Evans apparently gave Redmond far longer to get its gear together before going public, and he only acted after other browser developers had issued patches, factors that mean it would be very hard to argue that he "jumped the gun".
- Browser security warning lookalike pushes malware (6 September 2010)
- Private browsing modes in four biggest browsers often fail (6 August 2010)
- UK.gov sticks to IE 6 cos it's more 'cost effective', innit (30 July 2010)
- FAM Microsoft names September for IE9 beta (29 July 2010)
- Microsoft to banish 'responsible' from disclosure debate (22 July 2010)
- IE and Safari lets attackers steal user names and addresses (20 July 2010)
- Updated Spurned security researchers form anti-MS collective (6 July 2010)
- Rancid IE6 'more secure' than Chrome and Opera US bank says (28 June 2010)