Microsoft last Friday said it was looking into a long-known vulnerability in Internet Explorer (IE) that could be used to access users' data and Web-based accounts.
The bug can allow hackers to hijack Web mail accounts, steal data, and send illicit tweets, said Google security engineer Chris Evans in a message posted on the Full Disclosure mailing list.
The vulnerability, known as a "CSS cross-origin theft" bug, has a long history. Researchers at Carnegie Mellon University, who recently published a paper ( download PDF ) on the subject, have traced it back as far as 2002. Those researchers will present their paper at the Conference on Computer and Communications Security next month.
Although Microsoft has not patched the vulnerability in IE8, other browsers -- including Firefox, Chrome, Safari, and Opera -- have fixed the flaw. Google patched the bug in Chrome last January, while Mozilla did the same in July with Firefox 3.6.7 and Firefox 3.5.11.
IE9 includes a fix for the vulnerability. Microsoft plans to ship a public beta of IE9 on Sept. 15.
On Friday, Evans explained why he was adding to the patch pressure by crafting a proof-of-concept. "I have been unsuccessful in persuading the vendor to issue a fix," he said of Microsoft.
Microsoft issued a statement Friday saying it was investigating Evans' reports, but declined to answer questions on Monday, including whether earlier versions of IE were vulnerable or why it has not yet addressed the bug.
"We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," said Jerry Bryant, a group manager with the Microsoft Security Response Center, in the emailed statement.
Microsoft should not have been surprised by Evans' disclosure. In early August, Evans blogged that IE8 was the "most vulnerable" to the flaw. In that blog, Evans also said he had a proof-of-concept able to appropriate a Web mail account. "It's a nasty attack," Evans said, "email someone a link and if they click it, they are owned with a pure browser cross-origin bug."