Chris Evans from Google showed how to use two years old vulnerabilities to bypass same origin policy and attack Internet Explorer 8. A successful attack gives cybercriminal an access to user's confidential data.

During the demonstration Evans used code that allowed him to attack Twitter but it can be changed to attack almost any webpage.

The vulnerabilities were discovered in all major browsers but as it was reported by Japanese researchers, the report remained unnoticed. Only this year browsers' vendors started to patch their software. Internet Explorer is the last unpatched.

In theory the flaw may be used to attack any webpage that allows user to put his own text.

source: Heise Online
07.09.2010