Zero-day flaw haunts Internet Explorer

June 26, 2008 – 5:58 AM

An unpatched cross-domain vulnerability in Microsoft’s flagship Internet Explorer browser could expose Windows users to cookie hijacks and credentials theft attacks, according to a warning from security researchers.

The zero-day flaw, which has been reported to Microsoft, is a variation of Eduardo Vela’s IE Ghost Busters talk:

Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move.

No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts.

Details of the new variation have been posted online by the Ph4nt0m Security Team (translation here).

It affects Internet Explorer 6 on Windows XP SP2 and SP3.  The new IE 7 browser is not affected because Microsoft changed the way Javascript protocol URLs are handled to prevent these types of attacks.

Read the rest of the story…

You must be logged in to post a comment.