A flaw with Internet Explorer’s handling of Cascading Style Sheets (CSS) could lead to information theft from Google Desktop and other programs.
Visiting a malicious web page with IE could lead to security implications, a security researcher cited in Silicon.com reported.
The problem with cross-domain protections in IE has attracted Microsoft’s attention, the world’s biggest tech company said in the article:
“This issue could potentially allow an attacker to access content in a separate website, if that website is in a specific configuration,” Microsoft said in the statement.
Microsoft is not currently aware of malicious code that takes advantage of the flaw, but is monitoring the situation, the company said. A security update or an advisory on the problem may be coming, it said.
Likewise, Google has begun to delve into researcher Matan Gillon’s findings. A proof of concept example created by Gillon demonstrated what could happen to a user visiting a web page crafted to take example of the problem:
He crafted a web page that – when viewed in IE on a computer with Google Desktop installed – uses the search tool and returns results for the query “password”.
To exploit the flaw, an attacker has to lure a victim to a malicious web page. “Thousands of websites can be exploited, and there isn’t a simple solution against this attack, at least until IE is fixed,” Gillon wrote.
The problem will probably give more fuel to the PR machines and fans of browsers like Firefox and Opera, and their claims of possessing better security than IE. In fact, one rumor making the rounds has NASA making Firefox a more formally recommended browser within the agency.
David Utter is a staff writer for Murdok covering technology and business. Email him here.
