Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft downplays IE 'cookiejacking' bug

Gregg Keizer, Computerworld | May 27, 2011
Microsoft today downplayed the threat posed by an unpatched vulnerability in all versions of Internet Explorer (IE) that an Italian researchers has shown can be exploited to hijack people's online identities.

"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," Valotta told the Reuters news service this week.

The puzzle required users to drag and drop pieces on the Web page; unbeknownst to the victims, when they did so they actually dragged cookies to a specific spot on the screen where a clickjacking attack captured the data before sending it Valotta.

Valotta said that all versions of IE, including the just-released IE9, on all supported editions of Windows, including XP, Vista and Windows 7, were vulnerable to cookiejacking attacks.

Bryant added that the IE vulnerability was not serious enough to trigger an emergency, or "out-of-band" security update. "We are also not aware of it being used in any active way outside of the demo at [the Amsterdam] Hack in the Box [conference], he said.

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.