Proof of concept with wider consequences for websites...
By Joris Evers
Published: 5 December 2005 08:55 GMT
A security researcher in Israel has found a way to steal information from unwitting users of Google's desktop search tool by exploiting an unpatched flaw in Microsoft's ubiquitous Internet Explorer.
There is a bug in the way the web browser processes CSS rules, Matan Gillon wrote in a description of his hack posted on Wednesday. CSS, or Cascading Style Sheets, is a method for setting common styles across multiple web pages. The web design technique is widely used on many sites across the internet.
The proof-of-concept method is an example of how security flaws in software can offer all kinds of access to programs on vulnerable PCs, including to Google Desktop.
Gillon wrote: "This design flaw in IE allows an attacker to retrieve private user data or execute operations on the user's behalf on remote domains."
He crafted a web page that - when viewed in IE on a computer with Google Desktop installed - uses the search tool and returns results for the query "password".
To exploit the flaw, an attacker has to lure a victim to a malicious web page. "Thousands of websites can be exploited, and there isn't a simple solution against this attack, at least until IE is fixed," Gillon wrote.
Microsoft is investigating the issue, which it described in a statement as a problem affecting the cross-domain protections in Internet Explorer. "This issue could potentially allow an attacker to access content in a separate website, if that website is in a specific configuration," Microsoft said in the statement.
Microsoft is not currently aware of malicious code that takes advantage of the flaw, but is monitoring the situation, the company said. A security update or an advisory on the problem may be coming, it said.
Google is also investigating Gillon's findings. A spokeswoman for the search giant said: "We just learned of this issue and are looking into it."
While Gillon in his example uses the IE flaw as a means to get to Google Desktop, this flaw and other software bugs could be used to covertly access virtually any application on a compromised computer.
Joris Evers writes for News.com
PHP Web Developer / PHP Programmer - Joomlaor Magento CMS - Google Accredited AgencySlough, BerkshireUp to 28,000We are one of Berkshire's leading ...
Terms of Reference/Job Description: * Dispatching items to sites where required * Keeping records of repairs sent off and received * Technical ...
The firm is experiencing year on year growth and in the last quarter posted record results. Good communication skills are vital to this role as you ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy