Nasty Data-Stealing Bug Haunts Internet Explorer 8

There’s an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user’s authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way that IE 8 handles CSS style sheets.

There’s an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user’s authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way that IE 8 handles CSS style sheets.

The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. Mozilla was the last to fix the issue, in July.

But Microsoft has not yet implemented a fix for the vulnerability, and Evans on Friday posted a message to the Full Disclosure mailing list pointing out this fact and linking to a benign demo site. Microsot Security Response Center officials said they are aware of the issue and are investigating it.

Here’s how Evans explains the problem in his original post in December:

It works by abusing the standards relating to the loading of CSS style sheets. Approximately, the standards are:

  • Send cookies on any load of CSS, including cross-domain.
  • When parsing the returned CSS, ignore any amount of crap leading up to a valid CSS descriptor.

By
controlling a little bit of text in the victim domain, the attacker can
inject what appears to be a valid CSS string. It does not matter what
proceeds this CSS string: HTML, binary data, JSON, XML. The CSS parser
will ruthlessly hunt down any CSS constructs within whatever blob is
pulled from the victim’s domain.

The upshot of this is that if a victim has visited a given Web site, authenticated himself to the site, and then visits a site controlled by an attacker, the attacker would have the ability to hijack the user’s session and extract supposedly confidential data. This attack works on the latest, fully patched release of IE8, Microsoft’s flagship browser.

Three researchers at Carnegie Mellon University have published a paper on this attack–to which Evans contributed–and lay out a client-side defense against it. The defense calls for browsers to enforce the content-type checking for style sheets that are loaded from other sites. The authors stipulate that strict enforcement of this policy can break a very small number of sites, so a less-strict version also is detailed in the paper.

The defense has been adopted in one for or another by Google Chrome, Mozilla Firefox, Apple Safari and Opera.

Evans said in his Full Disclosure message that he decided to post it as a way to encourage Microsoft to fix the problem. “I have been unsuccessful in persuading the vendor to issue a fix.,” he wrote.

Last month, Evans said that the bug itself might have been known in the attacker community since 2008.

“That’s a dangerously long time for such a bug to be live and known by hackers.,” he wrote. “Browsers are complicated pieces of software and will always have bugs.
Time-to-fix therefore matters for a browser. If security is a factor in
your browser choice, I recommend you look at Opera or Chrome. These
browsers fixed this bug the fastest.”

Suggested articles