Microsoft investigates public IE CSS XSS flaw; Twitter, Hotmail vulnerable

Late last week, a security flaw in Internet Explorer 8 was publicly disclosed to the Full Disclosure mailing list. The flaw allows attackers to steal private information from online services such as web mail and Twitter, allowing attackers to, for example, delete e-mails or send tweets from their victims' accounts.

The post was made by Google employee Chris Evans. He stated that the reason for going public was to try to persuade Microsoft to fix the problem—the new flaw is a variant on an older attack, and the details of the flaw were made public in a paper authored by Carnegie Mellon students that Evans reviewed. While the other major browser vendors have made fixes to their browsers to prevent attack—Chrome 4.0.249.78, Safari 4.0.5, and most recently Firefox 3.6.7 and 3.5.11 all include protection against the flaw—Microsoft has thus far failed to update Internet Explorer to provide protection.

Read the comments on this post

Chrome August’s big winner as Internet Explorer resumes slide

As browser competition continues to heat up, 2010 looks like the year when the market was repeatedly disrupted. Internet Explorer has not managed to gain share for a third month in a row. Firefox is leveling out while Chrome and Safari continue to grow. Opera? It's hanging on to relevance.

Between July and August, Internet Explorer dropped 0.34 percent, a drop smaller than June's or July's gain. Firefox, meanwhile, went up 0.02 percent, Chrome gained 0.36 percent, Safari was up 0.07, and Opera dipped 0.08 percent.

IE looks stuck around the 60 percent mark for the time being. At least it's still above its lowest point (59.69 percent) with its best chance of market share gains in the short term coming with the IE9 beta, and the back-to-school season.

The importance of being the default browser in the world's most popular operating system continues to help IE. Microsoft browsers are being used by more than 6 out of 10 people and IE8 is being used by more than one in four on the Web (quickly closing in on one in three)—it is now at 27.90 percent (over 30 percent if Compatibility Mode is included). Unfortunately for Web developers everywhere, IE6 continues to be more popular than IE7, though this month it declined more than its successor. IE6's share can be attributed to businesses still using customized intranet applications, and XP's much bigger installed base than Vista's (especially in developing countries).

If we take a look at the last 12 months, the stabilization of IE is really obvious. Firefox, meanwhile, remains far away from what may be the unreachable 25 percent mark, having lost all the share it gained in the last year. Its market share is actually lower than it was a year ago. Chrome's progress is very noticeable in the chart above, though it seems to have found resistance at the 7 percent mark. Safari's gains are at about 1 percentage point, while Opera's are almost insignificant.

As always, things at Ars are very different. There was no place-changing this time: Firefox continues to dominate, Chrome is second, Safari is third, IE is fourth, and Opera brings up the rear. Last month, Firefox gained share, as did Chrome and Opera. The first-party browsers, Safari and IE, both dropped.

Read the comments on this post

IE gains market share at the expense of Firefox, Chrome

Now that we're past the halfway point of 2010, it's starting to become apparent that the browser trends we've noted over the past several months are no longer holding. Sure, Safari and Opera are still slowly gaining share, but the three big guys are restless. Firefox has started declining, Chrome's growth spurt seems to have been put on hold, and Internet Explorer experienced gains for the second month in a row.

Read the comments on this post

Vendor inaction leads researcher to disclose Safari, IE flaw

If you use the autocomplete features in Safari, certain versions of IE, Firefox, or Chrome, you could be making yourself vulnerable to identity theft and other attacks, according to one security researcher scheduled to speak at the Black Hat conference next week. WhiteHat Security CTO Jeremiah Grossman says that the four major browsers have critical weaknesses that have yet to be addressed by their respective companies, and could expose users' passwords, e-mail addresses, and more to attackers.

Grossman plans to demo a proof-of-concept attack at next week's conference. As most of us know, if you have autocomplete turned on in many browsers, you just have to begin typing a letter or two in one of the fields before they all fill in with your name and address, possibly your credit card number, and more. Grossman says attackers can simply create a page with hidden form fields that use JavaScript to enter letters and numbers into each field until it finds one that's a hit, and the browser autocompletes it.

Users don't even have to enter a single letter for the attack to work—all they have to do is load the page, and they likely wouldn't even be aware of what's happening.

According to Grossman, the autocomplete exploit works in the two most recent versions of Safari (4 and 5), as well as IE 6 and 7. Firefox and Chrome aren't susceptible to this particular attack, though they were vulnerable to another one: Grossman says that the two browsers can expose stored usernames and passwords for saved sites, making it possible for a cross-site scripting vulnerability to grab the info when a user logs into a Google account or Facebook, for example.

The reason he plans to expose these vulnerabilities at Black Hat is because the companies in question have apparently not responded to Grossman's attempts to contact them about it. "I would never have talked about this publicly if Apple had taken this seriously," Grossman told The Register. "I figured somebody else must have found this before because it's so brain-dead simple.” When he sent a follow-up query “I never heard anything back, human or robotic."

Read the comments on this post

Next Page »