Home / vulnerabilities ie-crossorigin.txt
Posted on 22 October 2010
Source : packetstormsecurity.org Link
Hi,
Internet Explorer has a cross-origin leak through the window.onerror
callback.
At first glance, it's a minor leak but if you look around you can find a
significant impact on some subset of websites.
I wrote up more thorough details on how the attack works here:
http://scarybeastsecurity.blogspot.com/2010/10/minor-leak-major-headache.html
I also provided a PoC against Google Reader; the victim has their anti-XSRF
token stolen and this is used to force them to subscribe to a feed on goat
farming: http://scary.beasts.org/misc/reader.html
(Unfortunately -- or fortunately depending upon you point of view -- the PoC
is neutered because the Reader team elected to work around the IE
vulnerability for now).
The vulnerability remains unfixed in production versions of IE and is
approaching 2 years old since vendor notification. This would make this a
600-day disclosure. It would be inaccurate to use the term "0-day", although
misuse of that term is somewhat rampant.
Security-conscious users may wish to prefer the Firefox browser over
Internet Explorer; the timeline in the blog post shows two very different
vendor responses to the exact same cross-origin leak.
Cheers
Chris
