Internet Explorer 8 Vulnerability Exposed

September 9, 2010

A new vulnerability has been discovered in Internet Explorer that takes advantage of Cascading Style Sheets (CSS), in order to steal data from the browser.

This past Friday, Google security researcher Chris Evans posted on the Full Disclosure mailing list (see that post here) describing a CSS vulnerability he discovered. He also posted a harmless example of what that vulnerability could do. In the example, you go to a site in IE and click a button (which supposedly could be automated) and your twitter account will automatically send out a tweet. Barely two hours later, Microsoft tweeted that they were aware of a problem and would "investigate" the issue.

This CSS vulnerability is not exclusive to Internet Explorer. The other four major browsers are also affected: FireFox, Safari, Opera, and Chrome. The only difference is the vendors of those browsers have issued patches and plugged the holes that created the problem. As of yet, Internet Explorer is the only major browser that has yet to be fixed. Not that there hasn't been enough time to work on a patch. According to Evans in the posting mentioned above, "[t]here's evidence to suggest that Microsoft has been aware of this since at least 2008." Whether or not they have known about the vulnerability that long is irrelevant, considering that it has been fixed by everyone else.

This vulnerability takes advantage of CSS standards to steal browser data. According to those standards, cookies are sent from the browser when CSS is called, even if it is a cross-domain call. Combining this with a CSS injection attack using background-image:url(), the browser's cookies will be sent to the given url. These cookies can contain the keys needed to break into web applications such as Twitter accounts and webmail sites. Even worse, this happens even when javascript is disabled, making this a threat even to those who think they are relatively safe.

View more news