www.kb.cert.org/vuls/id/713878
Vulnerability Note VU#713878 Microsoft Internet Explorer does not properly validate source of redirectedframe Overview Microsoft Internet Explorer (IE) does not adequately validate the security context of a frame that has been redirected by a web server. An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. I Description The Cross-Domain Security Model IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain.
an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust."
HTTP Redirection A web server can respond to an HTTP request with a 300-series status code indicating that a requested resource exists under a different URI. In the 300 response, the server indicates the different URI in the Location field of the HTTP headers. An attacker can configure a web server to send a delayed 300 response specifying a URI that points to a resource on the client's system, in the Local Machine Zone. The Location field can be set to any local HTML resource.
a modal dialog box that displays the specified HTML document." retains the input focus while open" and that "The user cannot switch windows until the dialog box is closed." A modal dialog box can be closed programmatically by script running in the HTML document that provides the content for the dialog box.
When the location of the content of a frame is changed with an HTTP redirect response, a modal dialog box that was called from the frame before the redirect will return a cached reference to the frame's original domain. IE then incorrectly considers the cached domain instead of the redirected domain when determining the security domain of the modal dialog box. Also, since the contents of the frame have been changed by the redirect, it is possible to set the location object of the frame. By redirecting to a local resource, controlling the timing of the redirect, and setting the frame's location to a javascript: protocol URI, an attacker can execute script in the security context of the Local Machine Zone. Functional exploit code is publicly available, and there are reports of incidents involving this vulnerability. Any program that hosts the WebBrowser ActiveX control or used the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Impact By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. Solution Until a complete solution is available, consider the following workarounds. Disable Active scripting and ActiveX Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning.
Service Pack 2 for Windows XP (currently in beta release) includes these and other security enhancements for IE. Apply the Outlook Email Security Update Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook.
The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6 Outlook 2003 includes these and other security enhancements. Read and send email in plain text format Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability. Maintain updated anti-virus software Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability.
Do not follow unsolicited links Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels. While this is generally good security practice, following this behavior will not prevent exploitation of this vulnerability in all cases. Use a different web browser There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX.
|
http://csua.com/feed/