Microsoft Downplays IE “Cookie-jacking” Bug

Microsoft has downplayed the discovery of a “cookie-jacking” Internet Explorer bugmicrosoft in news reported today by Italian researchers.  The bug is capable of viewing users cookies, and using them to steal personal online identities.

A representative of the Italian firm, Rosario Valotta, explained that such an exploit is achieved through the integration of a tactic known as “click-jacking”.  This technique involves attackers luring users to drag information to malicious sites.  By users committing such an action, Valotta explained that an unpatched IE bug dubbed “zero-day” could be cleverly combined with “click-jacking” to steal cookies from any site.

Mr. Valotta displayed how to conduct such attacks at conferences in Amsterdam and Zurich in early May.  These techniques can be used by hackers in the future as an alternative to “click-jacking”.  It appears that alternate methods to steal private information are as lively as ever.

Though Microsoft downplays the security risk, as they do with most, Valotta suggests that it is a simple attack to carry out and should not be taken with a grain of salt.  Microsoft’s indifference rests in their assumption that it will take a lot to bait people into falling for his trap.

Valotta disagrees.  In an attempt to prove his point Valotta claims, “I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server”.  Essentially the attack could use such information against the user, allowing a third party to impersonate users Facebook and Twitter accounts.  Furthermore, Valotta proclaims that no IE version is safe from this attack, and no model of Windows–whether it be Vista, XP, or Windows 7  is secure either.

Personally, this report is unsettling.  It adds to the voluminous methods in which private information is vulnerable to third-parties.  With users pouring more and more personal information into social media sites, attackers are relying on the plague of indifference for potential financial gain.  One could never be too cautious.

Microsoft vehemently assures that such an attack has yet to take place outside of demonstrations. They reiterate that the likelihood of said infringements are minute.

Despite all skepticism to such reassurances–by Microsoft not issuing a security update, one can assume that their predictions are accurate and that one need not lose any sleep over it.

SOURCEwww.computerworld.com       

Login

Comments

There are no comments yet, be the first!

Login

Reply