DJYSRV

Let's see. We've got three brainiac multi-billionaires. They're Bill Gates and the twin geniuses from Google. Despite all that money and brainpower, a couple of criminal hackers from some unknown province have managed to put the entire Internet at risk due to the combined lapses of Microsoft and Google.

Here is another fine mess! It could not happen with Opera It's like Laurel and Hardy took over computer science 101.

IE Bug Lets Hackers Phish With Google Desktop

Robert McMillan, IDG News Service Fri Dec 2, 5:00 PM ET

A bug in Microsoft's Internet Explorer browser gives phishers a way to scan the hard drives of Google Desktop users, according to an Israeli hacker. Because of a flaw in the way IE processes Web pages, a malicious Web site could use the attack to steal sensitive information like credit card numbers or passwords from the hard drives of its visitors.

"Google Desktop users who use IE are currently completely exposed," wrote hacker Matan Gillon in an e-mail interview. "An experienced attacker can covertly harvest their hard drives for sensitive information such as passwords and credit card numbers. Since Google also indexes e-mails which can be read in the Web interface itself, it's also possible to access them using this attack."

The Details

Gillon has posted an extensive description of how such an attack would work, along with a proof of concept exploit, on his blog.

The IE bug concerns the way Microsoft's browser processes Web page layout information using the CSS (Cascading Style Sheets) format. The CSS format is widely used to give Web sites a consistent look and feel, but attackers can take advantage of the way that IE processes CSS to get Google Desktop to reveal sensitive information.

Hackers would first need to trick users into visiting a malicious Web site for the attack to be successful, Gillon says. The attack works with IE 6 and Google Desktop version 2, and may also work on other versions of Microsoft's browser, but not on non-Microsoft browsers like Firefox or Opera, he adds.
Turn Off JavaScript

Users can nullify the attack by turning off JavaScript in their browsers, Gillon says. This can be done by disabling "Active scripting" in IE's Internet Options menu. JavaScript is a popular scripting language used by Web developers to make their sites more dynamic.

Users need to be particularly wary of the Web sites they visit these days, because of another unpatched IE vulnerability that could be used to take over a user's PC. Hackers posted sample code that exploited this problem over a week ago, and Microsoft said that hackers are already using the code in attacks. As with the new CSS problem, users must first be tricked into visiting a malicious Web site for this IE bug to be exploited.