.
Witamy, Gość. Zaloguj się lub zarejestruj.
Welcome, Guest. Please login or register.

Autor Wątek: Internet Explorer Bug Leaks What Users Type in the URL Address Bar  (Przeczytany 53 razy)

0 użytkowników i 1 Gość przegląda ten wątek.

Offline tregs_beales

  • Przyjaciel
  • Ekspert
  • ******
  • Wiadomości: 238
  • Thanked: 90 times
  • Ilość Plusów: 108
  • Płeć: Mężczyzna
  • Na forum od: 23.06.2017r.
  • System:
  • Windows 7/Server 2008 R2 Windows 7/Server 2008 R2
  • Przeglądarka:
  • Firefox 55.0 Firefox 55.0


Microsoft's Internet Explorer browser is affected by a serious bug that allows rogue sites to detect what the user is typing in his URL address bar.

This includes new URLs where the user might be navigating to, but also search terms that IE automatically handles via a Bing search. Users copy-pasting URLs for Intranet pages inside IE would likely see this bug as a big issue.

The bug, spotted by security researcher Manuel Caballero, poses a privacy risk, as it could be used in reconnaissance operations in targeted attacks, but also for data harvesting by online advertisers.
Bug is easy to exploit

The bug occurs when IE loads a page with (1) a malicious HTML object tag and (2) features the compatibility meta tag in its source code. Both conditions are quite easy to meet.

Condition one: Attackers can hide malicious HTML object tags in hacked sites or load it via ads that allow advertisers to load custom HTML and/or JavaScript code.

Condition two: X-UA-Compatible is a document mode meta tag that allows web authors to choose what version of Internet Explorer the page should be rendered as. Almost all sites on the Internet have a compatibility meta tag.

 

 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24