A bug in Microsoft Corp.’s Internet Explorer Web browser gives phishers a way to scan the hard drives of Google Desktop users, according to an Israeli hacker. Because of a flaw in the way Internet Explorer processes Web pages, a malicious Web site could use the attack to steal sensitive information such as credit card numbers or passwords from the hard drives of its visitors.
“Google Desktop users who use IE are currently completely exposed,” hacker Matan Gillon said via e-mail. “An experienced attacker can covertly harvest their hard drives for sensitive information such as passwords and credit card numbers. Since Google also indexes e-mails which can be read in the Web interface itself, it’s also possible to access them using this attack.”
Gillon has posted in his blog an extensive description of how such an attack would work, along with a proof-of-concept exploit.
Microsoft executives were unavailable to comment on the bug, but a spokeswoman for the company’s public relations agency said the issue is being investigated. Microsoft isn’t aware of any attacks resulting from the hole, she said.
The Internet Explorer bug relates to the way Microsoft’s browser processes Web page layout information using the Cascading Style Sheets format. The CSS format is widely used to give Web sites a consistent look and feel, but attackers can take advantage of how CSS is processed to get Google Desktop to reveal sensitive information.
Hackers would first need to trick users into visiting a malicious Web site for the attack to be successful, Gillon said. The attack works with Internet Explorer 6 and Google Desktop Version 2, but it may also work on other versions of Microsoft’s browser. It does not work with non-Microsoft browsers such as Firefox and Opera, he said.
Users can nullify the attack by turning off JavaScript in their browsers, Gillon said. This can be done by disabling “active scripting” in Internet Explorer’s Internet Options menu. JavaScript is a popular scripting language used by Web developers to make their sites more dynamic.
Users need to be particularly wary of the Web sites they visit these days because of a second unpatched Internet Explorer vulnerability that could be used to take over a user’s PC. Hackers posted sample code that exploited this problem over a week ago, and Microsoft said that hackers are already using the code in attacks. As with the CSS problem, users must first be tricked into visiting a malicious Web site for this second Internet Explorer bug to be exploited.
