Details Emerge on IE 8 Data-Stealing Bug

Security researcher Chris Evans has released details of the data-stealing bug in Internet Explorer 8 that he publicized earlier this month, saying that the CSS flaw can be used to force victims to post messages on Twitter and that the bug appears to be no closer to being fixed.

Security researcher Chris Evans has released details of the data-stealing bug in Internet Explorer 8 that he publicized earlier this month, saying that the CSS flaw can be used to force victims to post messages on Twitter and that the bug appears to be no closer to being fixed.

The bug, which has been known for a couple of years now, involves the way that IE 8 handles CSS and Evans said that the proof-of-concept that he developed to force victims to post a message on Twitter is just one example of how it could be exploited. Evans said in a blog post that the vulnerability has been known publicly for nearly two years. The same bug has been fixed for some time in Firefox, Google Chrome, Opera and Apple Safari.

“The IE CSS parser keeps track of opening and closing quote pairs,
and only terminates the CSS property if a ; is encountered outside of
quoting. Our usage of a ” character to start the property ensures that
any ; characters appear within the quoted context. Eventually, the CSS
parser includes the secret anti-XSRF token in the CSS property value and
then hits EOF with an unterminated quote. IE happily recovers from this
situation by constructing a CSS property value with all the text parsed
so far,” Evans writes in his blog post on the IE 8 bug.

“So the attacker simply includes the above
CSS-property-injected Twitter page as CSS and recovers the CSS value for
the “font-family” property, which includes the secret token (as well as
a bunch of quoted semi-colons and other HTML detritus which is less
interesting to us).”

The end result is that a victim who authenticates himself to a Web site and then is enticed into visiting an attacker-controlled could end up with his session hijacked. The attacker also could steal sensitive data from the victim’s browser.

In August, Evans said in a previous post about the bug that there is some evidence that the bug has been known by attackers since sometime in 2008.

“That’s a dangerously long time for such a bug to be live and known by hackers,” he wrote.
“Browsers
are complicated pieces of software and will always have bugs.
Time-to-fix therefore matters for a browser. If security is a factor in
your browser choice, I recommend you look at Opera or Chrome. These
browsers fixed this bug the fastest.”

Suggested articles