Nasty Data-Stealing Bug Haunts Internet Explorer 8

[Lead Head]

http://threatpost.com/en_us/blogs/nasty-data-stealing-bug-haunts-internet-explorer-8-090410

There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way that IE 8 handles CSS style sheets.

The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. Mozilla was the last to fix the issue, in July.

But Microsoft has not yet implemented a fix for the vulnerability, and Evans on Friday posted a message to the Full Disclosure mailing list pointing out this fact and linking to a benign demo site. Microsot Security Response Center officials said they are aware of the issue and are investigating it.

I still can't fathom why it takes a company as large as Microsoft so long to release patches for problems that have been known about for years.

[Aloone_Jonez]

Shit of course but why would anyone expect anything more from Microsoft?

I think Mozilla is bad enough for waiting until July to sort it out which is still shit in my opinion.

[Lead Head]

I agree that it took Mozilla far too long to fix it at well. I will cut them some slack compared to Microsoft though. Mozilla has no where near the manpower or cash that Microsoft has at its disposal.

[Aloone_Jonez]

I agree that it took Mozilla far too long to fix it at well. I will cut them some slack compared to Microsoft though. Mozilla has no where near the manpower or cash that Microsoft has at its disposal.

The trouble with large companies is how the budget is allocated.

Of course MS have a load of cash but they're obviously not investing it in the right areas. My guess is that in the IE department, most of the money goes to developing and marketing IE 9 rather than patching IE 8 so even if the developers want to, they might not have the funds and time available to do so.

[davidnix71]

Big companies are being cheap and stupid now, the economy is so bad. My neighbor works for ATT and he is only about 3 people away from being "surplus." I had to visit him to get a message through that someone let the SSL certs for Bellsouth lapse on 9/10/10. I tried to pay my bill online and Firefox pitched a fit about even going to the bill pay site.

I tried to let ATT know, but they no longer have working email addresses and the online text-chat support went nowhere. The "tech" I texted told me to upgrade my browser after I told him ATT's certs had expired. He didn't seem to understand what a SSL cert was. If I want to talk to tech support over the phone now I have would have to buy a contract first. I'm not paying to tell them to get their sh!t together.

My neighbor said things would get fixed when the banks refused to accept bill pay transactions on the expired certs.