Microsoft research very old "CSS cross-origin theft" bug in Internet Explorer

Microsoft is looking into a long-known vulnerability in Internet Explorer that could be used to access users' data and Web-based accounts.

The bug can allow hackers to hijack Web mail accounts, steal data and send illicit tweets, Google security engineer Chris Evans said in a message posted on the Full Disclosure mailing list: http://seclists.org/fulldisclosure/2010/Sep/64

Evans also published a demonstration that showed how the flaw in IE8 could be used to commandeer a user's Twitter account and send unauthorized tweets: http://scary.beasts.org/misc/twitter.html

The vulnerability, known as a "CSS cross-origin theft" bug, has a long history. Researchers at Carnegie Mellon University, who recently published a paper ( download PDF: http://websec.sv.cmu.edu/css/css.pdf ) on the subject, have traced it back as far as 2002. Those researchers will present their paper at the Conference on Computer and Communications Security next month.

Even so, the flaw received little attention until Evans blogged about it in December 2009.: http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html
He had submitted a bug report for Chrome eight months earlier: http://code.google.com/p/chromium/issues/detail?id=9877

Although Microsoft has not patched the vulnerability in IE8, other browsers, including Firefox, Chrome, Safari and Opera, have fixed the flaw. Google patched the bug in Chrome last January, while Mozilla did the same in July with Firefox 3.6.7 and Firefox 3.5.11.

IE9 includes a fix for the vulnerability. Microsoft plans to ship a public beta of IE9 on Sept. 15.

On Friday, Evans explained why he was adding to the patch pressure by crafting a proof-of-concept. "I have been unsuccessful in persuading the vendor to issue a fix," he said of Microsoft.

Microsoft issued a statement Friday saying it was investigating Evans' reports, but declined to answer questions on Monday, including whether earlier versions of IE were vulnerable or why it has not yet addressed the bug.

"We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," said Jerry Bryant, a group manager with the Microsoft Security Response Center, in the e-mailed statement.

Microsoft should not have been surprised by Evans' disclosure. In early August, Evans blogged that IE8 was the "most vulnerable" to the flaw: http://scarybeastsecurity.blogspot.com/2010/08/internet-explorer-considered-harmful.html
In that blog, Evans also said he had a proof-of-concept able to appropriate a Web mail account. "It's a nasty attack," Evans said, "E-mail someone a link and if they click it, they are owned with a pure browser cross-origin bug."

This isn't the first time that someone from Google has released information about a bug in Microsoft software after claiming he got the cold shoulder. Earlier this summer, Tavis Ormandy -- like Evans a Google security researcher -- went public with a Windows flaw after he said Microsoft wouldn't commit to a patching deadline. Microsoft disputed Ormandy's account.

Microsoft eventually pushed up the patch date for Ormandy's bug by a month.

On Friday, Bryant reiterated Microsoft's position on early disclosures. "To minimize risk to computer users, Microsoft continues to encourage coordinated vulnerability disclosure," he said, referring to his company's new term for keeping vulnerability information secret until a patch is available.

(PCW)