Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Microsoft Thanks Google for IE Fix

By Nate Mook, BetaNews

December 8, 2005, 12:30 PM

Google this week rolled out a fix to mitigate the risk from a newly discovered vulnerability in Internet Explorer that puts users of Google Desktop at risk even if they are running a fully updated system. Microsoft developers thanked Google for their work and say they are working on a patch for IE.

Uncovered by Israeli hacker Matan Gillon, the security hole involves a problem with the way IE imports cascading style sheets (CSS) from other Web sites, a technique referred to as cross site scripting (XSS). IE will import any type of file with a bracket, regardless of whether or not it's valid CSS.

By combining the flaw with Google's Desktop Search, a malicious Web site could read personal data off a visitor's machine.

"Our investigation indicates that this issue will have limited impact because an effective attack requires a website to expose sensitive information in a specific way. Basically, an attacker would need to find a way to make a response look like a Cascading Style Sheet, and that response would need to contain sensitive information," explained Microsoft security researcher Michael Howard.

Gillon supplied proof of concept code using Google News to highlight the potential risk. "A complete exploit can also iterate through the result pages to get more data and log the results on a remote server," he said. But Google has now closed that hole.

"Google has done a good thing for the protection of our mutual customers by mitigating the issue on their servers. We think that is great," added Howard.

"The underlying cross-site issue still exists within IE and I want to reassure you that we are investigating the root cause of this issue. Once the investigation is complete we'll take appropriate action for our customers which may include fixing this in a future security update for IE."

Add a Comment (28 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Pegusis2

posted Dec 10, 2005 - 8:02 AM

As I have said in the past... these extra tool bars are really worthless. Bookmark the search sites that you use most - simple as that. Why do you need to be running Google Desktop or Yahoo search bar in the first place? So that someone can better track your where abouts or what you are searching for so that they can better send you more specific Spam? Do not use these worthless tools if you even want to refer to them as tools... And if it's the RSS Feeds that you are looking to use there are tons of Good programs out there for that.

Score: 0

By athome

edited Dec 9, 2005 - 12:47 PM

There are two programs that are involved here not only MS. Google did not fix anything for Microsoft, and I fail to see how this problem is really one belonging to them(MS). You need to have Google Desktop installed and the code could read personal data. Could it be a problem with Google then, not MS. Yet everyone takes the potshot at MS. The way in which the story reads, is that the two must be present in order to be exploited. Am I wrong?
More importantly, is that problem has been fixed with regard to Desktop Search(by its developers) and MS will plug a hole that really wasn't a hole to begin with, and not being used.

Sounds very harmless at this point and no real basis for attacks on MS, who is by the way working on fixing this problem. Not really a priority at this time.

IMO

Score: 0

By frankwick

posted Dec 9, 2005 - 9:49 AM

Are you people 13? Everyone has bugs and holes. Had Google Desktop not had a hole in the first place then this would not have been brought to light.

I find it funny that you people are praising Google for their work while blasting MS. Both have holes. Google was able to band-aid a minor app. MS can't rush a band-aid out the door because they have to worry about backwards compatability and all the other subsystems which IE touches. IF they would slap a patch on it without regression testing then they would meet your requirement for a quick patch, but I'm sure it would have a negative impact somewhere else. I'm sure MS will opt to go safe vs please some lonely teenagers on a message board.

Score: 0

By QuiescentWonder

edited Dec 9, 2005 - 11:44 AM

Frank, did you read anything about this exploit? It's a flaw in Internet Explorer and Google's software (collecting information for search purposes) just allows people to abuse it. Google temporarily patched the problem until Microsoft releases a patch for IE (which we all know takes forever). Why don't you do a bit of research before blasting a bunch of people for something that's not true. I'm inclined to believe you didnt' even read the entire article.

Score: 0

By KSzostek

posted Dec 9, 2005 - 7:28 PM

Well said!

Score: 0

By giwo

posted Dec 8, 2005 - 2:22 PM

"The underlying cross-site issue still exists within IE and I want to reassure you that we are investigating the root cause of this issue. Once the investigation is complete we'll take appropriate action for our customers which may include fixing this in a future security update for IE."

Roughly translated, "You're screwed until IE 7, but that shouldn't suprise you."

Score: 0

By tubaman

posted Dec 8, 2005 - 2:06 PM

I just find it funny that Google fixed M$'s problem before M$ fixed it.

Score: 0

By Pegusis2

posted Dec 10, 2005 - 8:06 AM

That's because it was never M$ problem in the first place... it was a Google problem that Google created. I find it funny how you could say it's a M$ problem in the first place.

If I build a car and it works great than you install some device that was built by some other manufacturer and the car does not work properly afterwards is it a problem that I built into the car or was it a poor design by the manufacturer of the device that you installed...?

Score: 0

By QuiescentWonder

posted Dec 13, 2005 - 9:13 PM

You're wrong. It's Microsoft's problem, they admitted it, they thanked Google. Not only that, but the problem was around before anyone thought of using Google Desktop, and proof-of-concept code was floating around on the Internet. Stop bashing google.

Score: 0

By Kramy

posted Dec 8, 2005 - 4:14 PM

That's the difference between quite well written code and unmaintainable code. ;)

Score: 0

By KSzostek

edited Dec 8, 2005 - 8:04 PM

Kramy here you go again. You tell us from a Canadian point of view!

Score: 0

By ServerMechanic

posted Dec 8, 2005 - 1:35 PM

Google is the Devil!

Score: 0

By bourgeoisdude

posted Dec 9, 2005 - 1:22 PM

So since MS is thanking them, would MS be the Devil's Advocate? ;)

Score: 0

By PC_Tool

edited Dec 8, 2005 - 2:20 PM

So the Devil is fixing Cthulu's Code now?

Heh..Google: QA for Microsoft.

Gotta love it.

Score: 0

By itanshi

posted Dec 8, 2005 - 1:14 PM

not reading css right? thats the same thing as not supporting standards right, right?

lala

Score: 0

By netwiz562

posted Dec 8, 2005 - 7:07 PM

no it is not.

Score: 0

By GoodThings2Life

posted Dec 8, 2005 - 12:53 PM

"Thanks, Google, for giving us more time to fix our security issue!"

Score: 0

By maniakmx3

posted Dec 8, 2005 - 12:34 PM

Google is still evil...They just want M$ to stop competing with them lol

Score: 0

By citizen420

posted Dec 8, 2005 - 1:25 PM

hmm....dont know if its evil, but it is big. or is evil just becoming another word for big these days.

Score: 0

By PC_Tool

edited Dec 8, 2005 - 2:24 PM

Does that mean that I have *really* Evil feet?

And Texas is the most Evil state in the USA?

Which is more Evil, the Pacific or Atlantic Ocean?

And the more I eat, the more Evil I become, right? (So long as I don't exercise...)

Score: 0

By bourgeoisdude

edited Dec 9, 2005 - 1:24 PM

Pacific is more evil. But Texas??? Alaska is the most Evil state. Get your facts straight :)

Score: 0

By PC_Tool

posted Dec 9, 2005 - 4:39 PM

As mentioned below, but thanks.

:)

Just a little earlier and you'd have had it. :P

Score: 0

By garbuhj

edited Dec 9, 2005 - 6:31 AM

You know what they say about guys with evil feet, right?

Score: 0

By wincement

posted Dec 9, 2005 - 8:58 PM

ROFL

Score: 0

By PC_Tool

posted Dec 9, 2005 - 8:44 AM

lmao...

Score: 0

By captzerf

posted Dec 8, 2005 - 5:48 PM

I think you mean Alaska is the most evil state.

http://resourcescommitte...es/anwrpic/alaskaus.jpg

Score: 0

By PC_Tool

posted Dec 9, 2005 - 8:44 AM

But only slightly more Evil than Texas...

Score: 0

By Kramy

posted Dec 8, 2005 - 4:12 PM

Yeah, pretty much. :p

Evil heathen!

Score: 0

Jul 3 - 6:45 PM ET Netflix box by Roku to get more content providers

Jul 3 - 6:30 PM ET US Justice Dept. sued for info on cellular tracking practices

Jul 3 - 6:27 PM ET Next Patch Tuesday has few security updates, big Vista reliability fix

Jul 3 - 5:49 PM ET BlackBerry Pearl users can test voice input for Google Maps

Jul 3 - 5:30 PM ET Adobe pushes its Flash 10 beta 2 refresh

Jul 3 - 4:39 PM ET Nokia and InterDigital start to disassemble their running feud

Jul 3 - 4:34 PM ET Do-it-yourself phone manufacturer declares its independence tomorrow

Jul 3 - 4:16 PM ET Study: US broadband access up overall, but down among the poor

Jul 3 - 3:54 PM ET Beta test a portable Web browsing device

Jul 3 - 3:20 PM ET Nvidia: 'Previous generation' GPUs failing at high rates