Apparently this new flaw is a variant of an older security hole that was noted as far back as December 2009. It exploits the way browsers like Internet Explorer 8 and Firefox handles something called CSS cross-site scripting
The references here get a little technical, as they discuss the details of how this type of attack works. However, as a sales rep, here's what you need to know:
- Chrome, FireFox, Opera and Safari have upgraded their browsers to minimize the impact of cross-site scripting, making the browser behave better. Internet Explorer 8 and its predecessors, however are more lax in how it handles cross-site scripting making it even more vulnerable to exploitation.
- Web based email platforms, like Yahoo Mail and Hotmail can be used in the exploit and leave your Yahoo Mail or Hotmail accounts open to access from the attacker. So if you receive messages with strange looking subject lines (for example, subject lines that start with {}) or phishing requests from questionable senders asking you to visit their website, go to DEFCON4 and stay on alert.
- Twitter can also be used in this exploit, resulting in the attacker posting to your account. So be on the lookout for ugly tweets that look similar to this: {}body{font-family: And as always be careful of clicking on those shortened links in any tweet. Some of those links will be pages that collect the compromised information.
Microsoft investigates public IE CSS XSS flaw; Twitter, Hotmail vulnerable
Protecting Browsers from Cross-Origin CSS Attacks
Until Microsoft fixes this particular issue in Internet Explorer 8, you might want to download and run FireFox as an alternate browser to get peace of mind.
Who knows... you might even like it.
No comments:
Post a Comment