Computing News | Another cross-site scripting vulnerability affects IE7 on XP

Latest News | News Archive |

Posted by: Tweaker
Date added: 00:10 Sunday, 18th May 2008 GMT
Source: Beta News

A private security researcher well known for turning up cross-site scripting vulnerabilities in Web browsers has discovered another one, and is trumpeting the find as another milestone in Web history.

Truth is, it sounds like a trumpet we've all heard too many times before. On Wednesday, researcher Aviv Raff posted on his Web site the discovery of a vulnerability so open and easy to exploit, that merely mentioning what it is could be enough of an instruction manual for malicious exploiters to try it for themselves.

Mainly, it involves Internet Explorer 7 running on all versions of Windows XP; however, BetaNews was able to trigger the vulnerability using proof-of-concept code on the latest public beta of IE8 running in Windows Vista (not SP1), though with Protected Mode turned off intentionally.

Simply put, when printing a Web page onto paper, IE gives the user an option to print a separate page showing a table of hyperlinks inside the page. Typically, processes related to the printer are run with a security level set to "Local Machine Zone," whose security is usually more lax. So as Raff discovered, jobs sent to the printer from IE run with the more lax security. Thus embedded script within the hyperlinks is capable of being run unchecked, even though it's IE itself that's re-embedding those hyperlinks into the user-generated table.

  Tools: Post a comment | Link to this news item | Send to a friend | Submit News

Error: You are not logged in.

In order to leave comments to news articles you must be a Cyber Tech Help Member.

Registration is completely free!    Register to become a member

Along with access to leave comments to news articles you will be able to ask any computing questions you might have on the Cyber Tech Help Forums.

[  To top | Latest News | News Archive | ]