« Good worms back on the agenda | Main | New Open Source Web Application Scanner Released (Oedipus) »

ALERT: Cross HTTP Response Splitting Session Fixation Smuggling Scripting Vulnerability Discovered

CERT has issued a warning against a new web based threat entitled a "Cross HTTP Response Splitting Session Fixation Smuggling Scripting Vulnerability". According to the founder of DSHIELD Johannes Ullrich

"If on April 1st you have specific non default settings in Internet Explorer, visit a serious of 4 specific websites in order through a specific embedded device based proxy server, it may be possible to execute a JavaScript Popup within the remote zone". An avid Firefox user was quoted as on slashdot as saying "It's times like this that sitting on my high horse and using a non Microsoft based browser comes in handy".

Vulnerability details are scarce but initial reports are that 100,000,000 machines have been comprimised. Chief Cracking Officer Marc Maiffret of eEye has issued an unofficial patch that users can download on their website.

Microsoft already has a patch available on their website.

If you have any additional information please contact us on our contact form and we'll update this page with the latest details.


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!