Feeds

MS probes mystery IE bug

URL shortening shenanigans

Top 5 reasons to deploy VMware with Tegile

Microsoft is investigating reports of a new bug in Internet Explorer.

Redmond's Security Response Team (MSRT) said on Friday that it was aware of a "publicly disclosed issue involving Internet Explorer", and promised an investigation, without going into details.

Circumstantial evidence suggests Microsoft is referring to a post by security researcher Chris Evans, of Google, to a Full Disclosure mailing list on Friday, hours before MSRT's tweet.

"A nasty vulnerability exists in the latest Internet Explorer 8," Evans wrote. "I have been unsuccessful in persuading the vendor to issue a fix."

"The bug permits — for example — an arbitrary web site to force the victim to make tweets," he added.

The vulnerability may exist in other versions of IE and appears to be an extension of a cross-browser cross domain theft first documented by Evans via his scarybeastsecurity blog last December. Evans claims Microsoft has been aware of the bug since 2008, producing a harmless proof-of-concept exploit to illustrate his concerns.

Rik Ferguson, a senior security consultant at Trend Micro, explained that the exploit works by stealing the (supposedly secret) credentials for an already authenticated browser session, for example Twitter. "Those credentials are then abused to send arbitrary forged content," Ferguson writes.

The vulnerability might just as easily be used by other services that use URL shortening, according to Ferguson, who says that Opera, Chrome, Firefox and Safari have all already fixed this vulnerability. ®

Bootnote

A huge row kicked off back in June when another Google researcher, Tavis Ormandy, posted details of a Windows XP Help Center bug. Ormandy had given Microsoft just five days to fix the bug before going public. The incident reignited the long-running debate about the disclosure of security vulnerabilities, with spirited defences of their positions from both the full and responsible co-ordinated disclosure camps.

In the latest case, Evans apparently gave Redmond far longer to get its gear together before going public, and he only acted after other browser developers had issued patches, factors that mean it would be very hard to argue that he "jumped the gun".

Internet Security Threat Report 2014

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
HTML5 vs native: Harry Coder and the mudblood mobile app princes
Developers just want their ideas to generate money
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.