September 07, 2010, 9:25 AM — Microsoft last Friday said it was looking into a long-known vulnerability in Internet Explorer (IE) that could be used to access users' data and Web-based accounts.
The vulnerability, known as a "CSS cross-origin theft" bug, has a long history. Researchers at Carnegie Mellon University, who recently published a paper ( download PDF ) on the subject, have traced it back as far as 2002. Those researchers will present their paper at the Conference on Computer and Communications Security next month.
Although Microsoft has not patched the vulnerability in IE8, other browsers, including Firefox, Chrome, Safari and Opera, have fixed the flaw. Google patched the bug in Chrome last January, while Mozilla did the same in July with Firefox 3.6.7 and Firefox 3.5.11.
IE9 includes a fix for the vulnerability. Microsoft plans to ship a public beta of IE9 on Sept. 15.
On Friday, Evans explained why he was adding to the patch pressure by crafting a proof-of-concept. "I have been unsuccessful in persuading the vendor to issue a fix," he said of Microsoft.
Microsoft issued a statement Friday saying it was investigating Evans' reports, but declined to answer questions on Monday, including whether earlier versions of IE were vulnerable or why it has not yet addressed the bug.
"We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," said Jerry Bryant, a group manager with the Microsoft Security Response Center, in the e-mailed statement.