Thursday, October 21, 2010

Minor leak, major headache

I find this bug interesting, because at first it looks like a relatively minor cross-origin leak. But with a bit of investigation, it has major consequence.

The bug is specific to Internet Explorer, and still seems unfixed (in stable versions) at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time of writing. I told Microsoft about it back in 2008. Therefore this disclosure is not an 0-day, but more like a 600-day.

The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror handler and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n uses