Robert McMillan, IDG News Service
A bug in Microsoft's Internet Explorer browser gives phishers a way to
scan the hard drives of Google Desktop users, according to an Israeli
hacker. Because of a flaw in the way IE processes Web pages, a
malicious Web site could use the attack to steal sensitive information
like credit card numbers or passwords from the hard drives of its
visitors.
"Google Desktop users who use IE are currently completely exposed,"
wrote hacker Matan Gillon in an e-mail interview. "An experienced
attacker can covertly harvest their hard drives for sensitive
information such as passwords and credit card numbers. Since Google
also indexes e-mails which can be read in the Web interface itself,
it's also possible to access them using this attack."
The Details
Gillon has posted an extensive description of how such an attack would
work, along with a proof of concept exploit, on his blog.
The IE bug concerns the way Microsoft's browser processes Web page
layout information using the CSS (Cascading Style Sheets) format. The
CSS format is widely used to give Web sites a consistent look and
feel, but attackers can take advantage of the way that IE processes
CSS to get Google Desktop to reveal sensitive information.
Hackers would first need to trick users into visiting a malicious Web
site for the attack to be successful, Gillon says. The attack works
with IE 6 and Google Desktop version 2, and may also work on other
versions of Microsoft's browser, but not on non-Microsoft browsers
like Firefox or Opera, he adds.
Turn Off JavaScript
Users can nullify the attack by turning off JavaScript in their
browsers, Gillon says. This can be done by disabling "Active
scripting" in IE's Internet Options menu. JavaScript is a popular
scripting language used by Web developers to make their sites more
dynamic.
Users need to be particularly wary of the Web sites they visit these
days, because of another unpatched IE vulnerability that could be used
to take over a user's PC. Hackers posted sample code that exploited
this problem over a week ago, and Microsoft said that hackers are
already using the code in attacks. As with the new CSS problem, users
must first be tricked into visiting a malicious Web site for this IE
bug to be exploited.
Some security experts believe that Microsoft is in the process of
rushing out a patch to fix this problem before these attacks become
more widespread. These attacks can also be avoided by disabling
JavaScript in IE, or by using an alternative browser.
Microsoft executives were unavailable to comment on the CSS bug, but a
spokeswoman for the company's public relations agency said the issue
is being investigated. Microsoft is not aware of any attacks resulting
from the hole, she said.
Copyright 2005 PC World Communications, Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, PC World Communications.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
Robert McMillan (idg@telecom-digest.org)