You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!
If you have any problems with the registration process or your account login, please contact contact us.
United Off Topic **FOR MEMBERS ONLY**Chat about whatever! Off-topic chat forum. (Be sure to appropriately title posts that are NWS)
You must be registred and logged in to see sub-forums
Google this week rolled out a fix to mitigate the risk from a newly discovered vulnerability in Internet Explorer that puts users of Google Desktop at risk even if they are running a fully updated system. Microsoft developers thanked Google for their work and say they are working on a patch for IE.
Uncovered by Israeli hacker Matan Gillon, the security hole involves a problem with the way IE imports cascading style sheets (CSS) from other Web sites, a technique referred to as cross site scripting (XSS). IE will import any type of file with a bracket, regardless of whether or not it's valid CSS.
By combining the flaw with Google's Desktop Search, a malicious Web site could read personal data off a visitor's machine.
"Our investigation indicates that this issue will have limited impact because an effective attack requires a website to expose sensitive information in a specific way. Basically, an attacker would need to find a way to make a response look like a Cascading Style Sheet, and that response would need to contain sensitive information," explained Microsoft security researcher Michael Howard.
Gillon supplied proof of concept code using Google News to highlight the potential risk. "A complete exploit can also iterate through the result pages to get more data and log the results on a remote server," he said. But Google has now closed that hole.
"Google has done a good thing for the protection of our mutual customers by mitigating the issue on their servers. We think that is great," added Howard.
"The underlying cross-site issue still exists within IE and I want to reassure you that we are investigating the root cause of this issue. Once the investigation is complete we'll take appropriate action for our customers which may include fixing this in a future security update for IE."
12-10-2005, 04:20 AM
I keep forgetting that - I have a great memory but it doesn't last long
Similar Threads
