Microsoft Security Response team posted an interesting tweet at the tail end of Friday afternoon last week. The message itself was relatively low key, but pointed to something possibly more worrying. Enough to make me do some digging anyway…
“We’re aware of a publicly disclosed issue involving Internet Explorer. We’ll continue to investigate over the weekend.”
Hm, publicly disclosed where and by whom? What kind of issue and what kind of effect?
Well it looks like the tweet might be referring to an evolution of a vulnerability that was first made public by Google’s Chris Evans back in December of last year in a post on his Scary Beast Security blog.
Why have I jumped to that conclusion? Well, also on Friday last week, just a couple of hours before the Microsoft tweet, Chris Evans posted the following to the Full Disclosure mailing list
“Hi, In an attempt to get this bug fixed…
A nasty vulnerability exists in the latest Internet Explorer 8. I have been unsuccessful in persuading the vendor to issue a fix.
The bug permits — for example — an arbitrary web site to force the victim to make tweets.”
In the mailing list posting Chris goes on to state that there is evidence that Microsoft may have been aware of this bug since 2008 and that the same defect “probably” affects earlier versions of IE too.
The exploit acts by stealing the (supposedly secret) credentials for an already authenticated browser session, in his example Twitter. Those credentials are then abused to send arbitrary forged content.
Embarrassingly Opera, Chrome, Firefox & Safari have all already fixed this vulnerability. Let’s hope Microsoft had a good long investigate over the weekend then eh? With the ever increasing popularity of URL shortening services, vulnerabilities like this are all too easy to exploit.