An Internet Explorer bug has put Google users at risk of a phishing attack, according to a security researcher in Israel.
Matan Gillon published an article detailing a method for exploiting an unpatched Internet Explorer flaw. The flaw could allow hackers entrance into computers running Google’s desktop search tool.
Google has since patched its sites to prevent the exploitation of the vulnerability, but security analysts said another exploit could be lurking in the shadows.
Style Sheet Security
Gillon identified a problem in the way Internet Explorer processes Cascading Style Sheet (CSS) rules. CSS is an HTML feature that gives both Web site developers and users more control over how pages are displayed by specifying the appearance of text and other elements. CSS is commonly used on the Internet.
“Much like classic XSS holes, this design flaw in IE allows an attacker to retrieve private user data or execute operations on the users behalf on remote domains,” Gillon wrote in his report.
“The difference is that in this case the target site doesn’t have to be vulnerable to script injection. All an attacker has to do is lure a user to a malicious Web page. Thousands of Web sites can be exploited and there isn’t a simple solution against this attack at least until IE is fixed.”
Microsoft Investigates
Microsoft said it is still investigating the security issue that is affecting the cross-domain protections in Internet Explorer: “This issue could potentially allow an attacker to access content in a seperate Web site, if that Web site is in a specific configuration.”
Microsoft said although it is not aware of malicious code that seeks to exploit the CSS flaw, it is monitoring the situation. The software giant said it may release a security update or an advisory on the issue.
“The vulnerability still exists in Internet Explorer in that it’s very lenient in how it pulls CSS, but right now nobody is publishing a way that it can be leveraged to do something useful,” Michael Sutton, director of VeriSign company iDefense, told TechNewsWorld. “That’s not to say that somebody won’t find a way. I’m sure somebody will come up with a creative way to leverage it to do something evil.”
Reigniting the Security Debate
Microsoft has seen a lot of security activity lately. Besides the four examples of attack code released for flaws in the Windows operating system, there was also an unpatched flaw in Internet Explorer that recently opened the door to a Trojan horse.
Meanwhile, Firefox and Opera are not vulnerable to the CSS flaw, according to Gillon. He suggested that consumers could either use one of these two open-source browsers or disable JavaScript in Internet Explorer as a workaround.
Does this mean that Firefox and Opera are more secure? Not necessarily, Sutton said. He shies away from such blanket statements about security and prefers to look at how quickly vulnerabilities are addressed.
“Typically Firefox vulnerabilities are handled pretty quickly due to its open-source nature, but Microsoft has definitely made strong strides in how they deal with vulnerabilities like this,” Sutton said. “They have shown that when there is a critical vulnerability they are willing to do out of cycle patches and, through their MSRC blog, to comment on it. A year ago, Microsoft wouldn’t have commented on a flaw like this.”