Advertisement
Promo

Security threats Toolkit

Cross-application attack exploits IE flaw

Joris Evers CNET News

Published: 05 Dec 2005 11:55 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A security researcher in Israel has found a way to steal information from unwitting users of Google's desktop search tool by exploiting an unpatched flaw in Microsoft's Internet Explorer.

There is a bug in the way the Web browser processes CSS rules, Matan Gillon wrote in a description of his hack posted on Wednesday.

The proof-of-concept method is an example of how security flaws in software can offer all kinds of access to programs on vulnerable PCs, including to Google Desktop.

Gillon wrote: "This design flaw in IE allows an attacker to retrieve private user data or execute operations on the user's behalf on remote domains."

He crafted a Web page that — when viewed in IE on a computer with Google Desktop installed — uses the search tool and returns results for the query "password".

To exploit the flaw, an attacker has to lure a victim to a malicious Web page. "Thousands of Web sites can be exploited, and there isn't a simple solution against this attack, at least until IE is fixed," Gillon wrote.

Microsoft is investigating the issue, which it described in a statement as a problem affecting the cross-domain protections in Internet Explorer. "This issue could potentially allow an attacker to access content in a separate Web site, if that Web site is in a specific configuration," Microsoft said in the statement.

Microsoft is not currently aware of malicious code that takes advantage of the flaw, but is monitoring the situation, the company said. A security update or an advisory on the problem may be coming, it said.

Google is also investigating Gillon's findings. A spokeswoman for the search giant said: "We just learned of this issue and are looking into it."

While Gillon in his example uses the IE flaw as a means to get to Google Desktop, this flaw and other software bugs could be used to covertly access virtually any application on a compromised computer.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
85 out of 129 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:










Related Jobs

Web Designer

Web Developer / PHP Developer- Joomla or Magento, PHP, (X)HTML

Localization Project Manager - any European languages

Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Beware of keeping your head in the clo...

Information security professionals can look forward to a deepening appreciation for their skills as security continues to be recognised as an essential element for doing business in... More

1 comment

Civil liberties groups attack file-sha...

Civil liberties and digital rights organisations have strongly criticised Lord Mandelson's Digital Economy Bill. Liberty said in a position paper on Tuesday that the bill, part of... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters