Security Alarm Sounded on Gmail and IE

Security vendor Cenzic has issued an advisory warning against alleged vulnerabilities in Google’s Gmail and Microsoft’s Internet Explorer.

The vulnerabilities involve potential Cross-site Request Forgery (CSRF) and Cross Site Scripting attacks that could be used to take users’ information.

In the case of Gmail, Cenzic alleges that the CSRF exists for addresses that display attachments. With Microsoft’s IE, the company said the problem is with how caching occurs which could lead to a XSS attack. Cenzic alleges that the user’s cache could be exploited across shared accounts on the same PC.

“Google takes security issues very seriously and will respond swiftly to fix verifiable security issues,” Google responded in an e-mail reply to about the report. “When properly notified of legitimate issues, we do our best to acknowledge every report, assign resources to investigate them, and fix potential problems as quickly as possible.”

The Google statement went on to downplay the issue that Cenzic described in its advisory.

“In this case, a malicious user (even a non-administrator) using a shared computer could alter the environment (in this scenario, modify data in the local browser cache) to make it hostile for all subsequent users,” Google stated. “But this is not specific to Gmail or Google products — a malicious user could exploit a shared computer any number of more direct ways, e.g. by installing a user-mode keylogger.”

Mark Miller, director of security response for Microsoft, noted that Microsoft is investigating new public claims of a possible vulnerability in Internet Explorer. Microsoft similarly downplayed the severity of Cenzic’s alleged vulnerability.

“We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” Miller wrote.

Miller did not directly name Cenzic in the e-mail though a Microsoft spokesperson confirmed that the statement was sent in reference to a query made by about Cenzic’s allegations.

“Microsoft has thoroughly investigated the claim and found that this is not a product vulnerability. In the scenario in question an attacker would need authenticated access to the system in order to modify files located in the cache. With that level of access, an attacker could install malicious programs that would have more impact than the scenarios described.”

Mandeep Khera, VP of marketing at Cenzic explained to that Cenzic followed its responsible vulnerable disclosure policy and notified both vendors over 4 weeks ago. In his opinion both vendors were very responsive and replied immediately.

Khera noted that he was currently unaware of any exploits in the wild for the discovered issues. He admitted however that there might be many cases of this that have never been reported.

“Google and Microsoft don’t believe the problem is very serious since an attacker requires access to the physical machine,” Khera said. “However, Cenzic believes that this problem can be serious for shared computers at Airport Kiosks, Internet Cafes, and other public places where the machines are shared.”

So what should end users do to protect themselves? According to Khera, Cenzic is advising all consumers who use shared machines to disable browser caching when they are accessing a public machine.

“This will make the experience less user-friendly but at least it’s safer.”

News Around the Web