Network News

X My Profile
View More Activity

Researcher: IE Flaw Allows Data Theft

A security researcher has published information showing that a previously unknown design flaw in Microsoft's Internet Explorer could be used by malicious Web sites to steal sensitive information from IE users' computers.

Israeli hacker Matan Gillon says he's discovered that an unpatched security hole in IE could allow a Web site to see files on the visitor's computer that store data about the user's relationship with other Web sites.

In a detailed analysis published on his Web site, Gillon demonstrates how the hack could be leveraged to steal data on the victim's machine indexed by Google Desktop Search, a free program that allows users to quickly find a variety of files on their computers. The problem is not with Google's software, which contains several built-in security measures to ensure that data cached by its software cannot be read by anyone other than the user.

Gillon's research shows that if an IE user is already logged on to a Web-based service -- such as Gmail or Hotmail, for example -- a malicious Web page could execute certain operations in the user's account, such as opening e-mails and relaying them back to the site's owner for remote viewing.

"This discovery has implications that go far beyond the Google trick," said Tom Liston, a senior analyst for Intelguardians, an information security consulting group in Washington. "Over the next few days I think we're going to see a lot of people coming out and saying the Google Desktop thing was kinda cool, but that there are far more dangerous implications."

According to Gillon, the hack works because IE does not properly parse cascading style sheet (CSS) files, a Web design language used by thousands of Internet sites.

The exploit demonstrated on Gillon's site works on a fully patched IE browser with default security and privacy settings. Gillon said other browsers, such as Firefox, are sufficiently locked down that the hack doesn't work on them.

This is yet another IE flaw that cannot be exploited if the user disables scripting. (For instructions on how to do that, see this post.) However, given the danger presented by this and other recent discoveries of IE security holes, I would strongly recommend that IE users consider downloading and using another browser, like Firefox, Opera or Netscape. Last month, security researchers released instructions demonstrating how Web sites could use another serious, unpatched, script-related flaw in IE to seize control of computers.

Microsoft said in a statement that it was investigating the problem, saying the exploit detailed by Gillon "could potentially allow an attacker to access content in a separate website if that website is in a specific configuration." The company said it was not aware of any "active attacks or of customer impact," and said it may issue a security advisory on the matter or provide an update through its monthly patch release process to fix the problem.

News of this research was first reported by eWeek, which has a more technical description of how the attack works.

By Brian Krebs  |  December 2, 2005; 3:35 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Prostitution Suspect Used Data Access to Keep Tabs on Cops
Next: Document Security 101


This is a particularly silly vulnerability because it arises from Microsoft's refusal to adhere to the standards set for web programming. Firefox and most other browsers don't adhere perfectly, but they are a lot better in this regard.

Posted by: William | December 2, 2005 4:39 PM | Report abuse

Oh Jeebus. Advising users to switch to Firefox will not make them "safer", it just exposes them to *other* vulnerabilities. Bottom line: you must apply patches to fix buggy code.

[insert copious replies on how micro$oft is, like, *so* much worse and it is stupid to say Firefox is not safer]

Posted by: Jeebus | December 2, 2005 10:39 PM | Report abuse

Use OPERA browser. (NUFF SAID)

Posted by: joeB.low | December 2, 2005 10:46 PM | Report abuse

Yes, apply patches when they are available. The problem is that the patches are not available yet. IE has had two unpatched serious security threats appear in less than two weeks. Microsoft is not known for its speedy patching.

Firefox on the other hand is. The last time there was a moderate security threat to Firefox, the Mozilla orginazation posted a workaround patch the day of the threat announcement and a complete patch within two days.

With the new Firefox 1.5, updating becomes even easier. Patches are downloaded and updated automatically when available.

Posted by: mw | December 3, 2005 1:48 AM | Report abuse

Jeebus, did you notice that patches aren't available yet?

Posted by: sisyphis | December 3, 2005 5:17 AM | Report abuse

What problems have been associated with Firefox, can you name one that directly puts the users data at risk? growup IE users.

Posted by: Bennett | December 3, 2005 9:18 AM | Report abuse


Posted by: ramesh | December 3, 2005 1:15 PM | Report abuse

Yes, I did notice that no patch was available. I fail to see what that has to do with whether Firefox is "safer". I don't have a detailed history, but I know not every flaw in Firefox was fixed the day it was announced, much less discovered.

When the next firefox threat comes along, and it is not fixed immediately, I suppose everyone will say "move to IE, I hear they fixed their last flaw in 20 minutes"?

And how come Mozilla doesn't catch any flack for keeping flaws a secret until the fix announcement is made?


There were 59 advisories for Firefox in 2005,and quite a few seem like it wouldn't take too much imagination to exploit and steal user data (or take over the users machine for that matter).

And I am not an IE user: I am using Konqueror on Linux to view this page. I just think it is not helpful to give out this sort of "security advice".

Posted by: Jeebus | December 3, 2005 1:49 PM | Report abuse

All these security issues become irrelevant if you use an Apple computer. I don't but - I'm thinking....

Posted by: Sallie | December 3, 2005 3:48 PM | Report abuse

"With great power comes great responsibility..."

Looks like Bill Gates never saw Spiderman.

Posted by: Daniel | December 3, 2005 5:50 PM | Report abuse

Hi, this is Bill Gates. I installed the latest Firefox, and was really impressed. I was about to order all Microsoft employees to use it instead of IE, but I was informed by our IE Project Manager that Firefox IS NOT a Microsoft product! So please DO NOT install Firefox!

Just simply delete all non-Microsoft programs from your computer, ESPECIALLY anything by Google, replace it all with Microsoft programs, and everything will be hunkey-dorkey, OK?

Posted by: Bill Gates | December 3, 2005 7:39 PM | Report abuse

And I did too see Spiderman! Sheesh! Why is everybody always picking on me?

Don't blame me, I voted for Pedro!

Posted by: Bill Gates | December 3, 2005 7:45 PM | Report abuse

Sallie - it will be a great time to "switch" after Apple releases the new Intel-based Macs. :-)

Posted by: Mike | December 3, 2005 8:36 PM | Report abuse

The second worst type of hacker, is a web site that forces users to see a full page ad before reaching the home page. Would the Washington Post wrap its printed newspaper in an advertising wrapper? If not, then why do that to the web site?

I left before reading your article as I can still get the news without such rudeness.

Posted by: John Adams | December 3, 2005 8:41 PM | Report abuse

Opera, Opera, Opera.

Posted by: Dave | December 4, 2005 12:01 PM | Report abuse

Opera, Opera, Opera.

Posted by: Dave | December 4, 2005 12:03 PM | Report abuse

Google indexes all your desktop files. Where's the problem?

Posted by: Indexing my files? | December 4, 2005 3:11 PM | Report abuse


Maybe you should explain a bit why Opera, with the best support for CSS of any of the browsers mentioned, does not have the problem.

It sounds a lot like CSS, as opposed to "DHTML" -- a mostly Microsoft presentation driven bastardization -- is (at least partially) at fault. The W3C might be very cross with you if you don't get over the acronym machine in Redmond, as well they should.

Posted by: GTexas | December 4, 2005 5:41 PM | Report abuse

GTexas -- Thanks for the pointer. You raise an interesting question. But why should the W3C get cross w/ me?

Posted by: Bk | December 4, 2005 5:58 PM | Report abuse

Think of CSS as an WWW 2"x4" and scripting (DHTML) as a nail ...

Commercial interests (Bill Gates et al.) are like little boys with hammers, you should never quite trust them when they say that every nail needs pounding or that every board needs nails.

Have you tried the different stock style sheets that come with Opera? Very impressive; but "Look Ma, No Nails!"

Posted by: GTexas | December 5, 2005 5:11 PM | Report abuse

There you go again, dissing me with your hammer crack! As soon as I figure out the pun, I'm going to be mad as hell!

Bill G

Posted by: Bill Gates | December 5, 2005 9:33 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company