14 DAY TRIAL // Microsoft's top browser, Internet Explorer, contains a critical vulnerability that could enable an intruder, who manages to exploit it, to access the victim's Gmail account and all the information stored in it, Cenzic Inc. warned today.
"Cenzic discovered the possible Cross-site Request Forgery (CSRF) on URLs that display attachments when viewed using 'View as HTML'. CSRF, in combination with the improper use of caching directives, could lead to leakage of sensitive information that, when used in conjunction with the vulnerability in Internet Explorer described below, could instigate cross-site scripting issues. Cross-site scripting can lead to various exploits like credential theft, that can give active unauthorized access to the system", it is mentioned in the press release published on the company's official website.
What's interesting is that an attacker is not able to connect remotely to the affected computer, so he needs physical access to it in order to be able to exploit it. Certainly, this is not a problem as there are so many Internet cafes accessed by million of Gmail members.
"These vulnerabilities demonstrate the serious threats in common services that users take for granted as being safe and secure", said Mandeep Khera, VP of marketing at Cenzic. "There's an obvious need for these threats to be handled in a proactive and timely manner. While large vendors like Microsoft and Google are being more aggressive in taking measures to protect their applications, we still have a long way to go. For smaller ISVs and corporations, the situation is more bleak when it comes to application security."
This is not the first time when Google's mail technology is affected by such a dangerous exploit. However, the Mountain View company has always been opened to communication and this matter helped it repair the problems quick and easy. Cenzic has already informed both Google and Microsoft, so we're expecting a patch or something to fix this vulnerability. Until then, a solution would be disabling the caching function of Internet Explorer, as the security company advised.