Full Disclosure mailing list archives
Internet Explorer 8 PoC: window.onerror leak leads to surge in interest in goat farming?
From: Chris Evans <scarybeasts () gmail com>
Date: Thu, 21 Oct 2010 19:06:27 -0700
Hi, Internet Explorer has a cross-origin leak through the window.onerror callback. At first glance, it's a minor leak but if you look around you can find a significant impact on some subset of websites. I wrote up more thorough details on how the attack works here: http://scarybeastsecurity.blogspot.com/2010/10/minor-leak-major-headache.html I also provided a PoC against Google Reader; the victim has their anti-XSRF token stolen and this is used to force them to subscribe to a feed on goat farming: http://scary.beasts.org/misc/reader.html (Unfortunately -- or fortunately depending upon you point of view -- the PoC is neutered because the Reader team elected to work around the IE vulnerability for now). The vulnerability remains unfixed in production versions of IE and is approaching 2 years old since vendor notification. This would make this a 600-day disclosure. It would be inaccurate to use the term "0-day", although misuse of that term is somewhat rampant. Security-conscious users may wish to prefer the Firefox browser over Internet Explorer; the timeline in the blog post shows two very different vendor responses to the exact same cross-origin leak. Cheers Chris
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Internet Explorer 8 PoC: window.onerror leak leads to surge in interest in goat farming? Chris Evans (Oct 21)