Microsoft Internet Explorer ‘Forced Tweet’ Cross Domain
Affected OS: Windows XP (Service Pack 3, [++])
Description: A cross domain privilege escalation vulnerability is present in some version of Microsoft Internet Explorer.
Recommendation: SecurityOrb is not aware of a vendor-supplied patch/update at this time.
Observation: A cross domain privilege escalation vulnerability is present in some version of Microsoft Internet Explorer.
The flaw lies in Internet Explorer’s ability to load/render external web pages as a CSS file. Under certain circumstances session IDs can be hijacked and used to force ‘tweets’ through Twitter.com or utilize other URL shortening services to distribute exploits.
Common Vulnerabilities & Exposures (CVE): CVE-2009-2433
IAVA Reference Number: IAVA-REF-NUMBER-NOMATCH