Microsoft Thanks Google for IE Fix

Google this week rolled out a fix to mitigate the risk from a newly discovered vulnerability in Internet Explorer that puts users of Google Desktop at risk even if they are running a fully updated system. Microsoft developers thanked Google for their work and say they are working on a patch for IE.

Uncovered by Israeli hacker Matan Gillon, the security hole involves a problem with the way IE imports cascading style sheets (CSS) from other Web sites, a technique referred to as cross site scripting (XSS). IE will import any type of file with a bracket, regardless of whether or not it's valid CSS.

By combining the flaw with Google's Desktop Search, a malicious Web site could read personal data off a visitor's machine.

"Our investigation indicates that this issue will have limited impact because an effective attack requires a website to expose sensitive information in a specific way. Basically, an attacker would need to find a way to make a response look like a Cascading Style Sheet, and that response would need to contain sensitive information," explained Microsoft security researcher Michael Howard.

Gillon supplied proof of concept code using Google News to highlight the potential risk. "A complete exploit can also iterate through the result pages to get more data and log the results on a remote server," he said. But Google has now closed that hole.

"Google has done a good thing for the protection of our mutual customers by mitigating the issue on their servers. We think that is great," added Howard.

"The underlying cross-site issue still exists within IE and I want to reassure you that we are investigating the root cause of this issue. Once the investigation is complete we'll take appropriate action for our customers which may include fixing this in a future security update for IE."