Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Microsoft's Internet Explorer (IE) 6 and 7 suffer from a security flaw in the browser's AutoComplete feature that could lead to information disclosure, Jeremiah Grossman, founder and chief technology officer of web application security firm WhiteHat Security, said at the Black Hat conference in Las Vegas.The issue is similar to a flaw affecting Apple's Safari browser that was patched last week. By abusing the HTML form AutoComplete functionality in IE 6 or 7, a malicious website may surreptitiously obtain a user's name, web aliases, addresses, telephone numbers, credit card numbers, place of work, job title, search terms, secret questions and answers, Grossman said. IE versions 8 and 9, the latter of which is due out in September, are not affected. Also, the AutoComplete form feature is not enabled by default in IE 6 and 7, so a user would have to manually turn on it on by clicking “yes” when the browser prompts them to do so during the attacks. “Microsoft has been investigating the issue described in Jeremiah Grossman's talk at Black Hat on Thursday," Jerry Bryant, group manager of response communications at Microsoft, said in a statement. "In addition, Microsoft was pleased that Grossman noted that Internet Explorer 8, the latest version of our browser, is not vulnerable to this issue.”Meanwhile, users who have applied Apple's patch for Safari 4 and 5 to fix that browser's auto-fill issue still could be at risk, Grossman said. “All the bad guy would have to do is mass distribute their auto-complete code, like on an advertising network or a series of malware-infected pages, obtain their victims' personal information (name, email, address, etc.) and cookie them with an ID (i.e. domain = http://whoisthisperson/%29,” Grossman wrote in a blog post. “When the person returns, even in a patched or feature disabled state, their browser (or the cookies within) would silently give up their identity.”Unless users of the affected browsers “go out of their way” to delete their cookies, they could be susceptible to attacks that take advantage of the feature, Grossman said. However, there currently is no evidence that attackers have launched any real-world exploits.To mitigate the risks of this threat, users should upgrade to IE 8, Google's Chrome, or Mozilla's Firefox, Grossman said. IE users who cannot upgrade to version 8 should disable the AutoComplete feature in forms. See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.