Researchers at Aladdin Knowledge Systems have discovered a “significant” vulnerability in the page-caching technologies of three major search engines, allowing them to deliver malicious pages that have been removed from the web.
The researchers discovered the vulnerability when analyzing the content of a hacked university website. The site was cleaned, but malicious content was still reachable via search engine caches.
The flaw is a "glimpse of the future" of multifaceted web-based attacks, said Ofer Elzam, director of product management at Aladdin.
Elzam told SCMagazineUS.com that researchers at Aladdin's eSafe CSRT were able to use the search capabilities of Google, Yahoo and Windows Live Search to access cached copies of removed, but cached, webpages that contained malicious code.
“The malicious webpage was at a university, and it contained malicious code that attempted to download multiple types of trojans and spyware," Elzam said. "We decided to see if we could find copies of the original page, and we found cached copies in the [search engine] results.”
Elzam added that to take advantage of such a flaw, an attacker could create multiple malicious webpages at various hosting services, do some promotion of them into the search engines, then take the pages offline so it appears there's no threat. A series of links among multiple websites could be used for a cross-site scripting attack.
A Microsoft spokesman told SCMagazineUS.com today that he is not aware of any negative customer impact, but the Redmond, Wash.-based corporation is investigating the issue.
“As a matter of course, Live Search takes a number of steps to remove malware from our collection of cached pages, including automated scanning, as well as human intervention, to reduce the amount of cached content that could present any risk to users of the service,” he said.
Yahoo, meanwhile, promised a quick response to the reports.
"Yahoo is committed to protecting its users from malicious sites on the web and we follow up aggressively on reports about potentially malicious pages,” a company spokesman told SCMagazineUS.com. “This is an ongoing battle for all search engines and Yahoo has processes in place to quickly remove cached pages.”
Google did not respond to SCMagazineUS.com's request for comment.