Another IE security hole

Hai Nam Luke has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.

http://www.securityfocus.com/archive/1/429891/30/0/threaded

http://secunia.com/Internet_Explorer_Address_Bar_Spoofing_Vulnerability_Test/

 

Using IE6 here, Security Settings High, the exploit doesn't work.

 

Hi

Doesn't work on mine either, but it is locked down. All i get is a completely blank page on here http://secunia.com/Internet_Explorer_Address_Bar_Spoofing_Vulnerability_Test/

So another vulnerability passed with flying colours i'm very pleased to say.


StevieO

 

Right and I guess, that blocking flash in IE should do it as well (Flash is used mostly for ADs).

 

This is similar to a long-standing "exploit" involving frame injection, and, like that issue, the new vulnerability requires that the permission "Navigate sub-frames across different domains" be enabled. The old exploit, documented at:

http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

does not even require Javascript to be enabled, and I wouldn't be surprised if someone found a way to exploit this one without needing script as well. Note that Secunia's link is via Javascript, so if that is disabled, Secunia's test will not even launch; thus, in particular, Rmus and StevieO did not notice a problem.

I want to point out that in both vulnerabilities, the injected content runs in the security context of the rogue website; i.e., there does not appear to be a cross-site scripting issue. In the particular test that I ran, Google was in the Internet Zone and Secunia was relegated to my default security zone 5 (I find having an extra zone to be useful). Note that in the image (link shown below), the address bar indeed says Google is the URL, but the lower-right part of the image shows Secunia's zone. This test did not succeed totally, for Secunia's final action is to download a Flash file (just a large "SECUNIA" image), but that was not injected into the page, for reasons unknown. REGMON did indicate that Flash was checked against the AllowedControls list and then was instantiated.

Personally, I consider "Navigate sub-frames across different domains" to be one of the shakier permissions, and thus I require prompting before allowing this action in the default zone. Routinely, I deny this permission unless I totally trust the site. This test failed to "exploit", of course, when cross-domain navigation was disabled. Additionally, it failed when I said 'yes' to prompts due to some unknown timing issue (the script involves timing), and I did not have time to find out what was happening. I needed to change the permission to Enable to get the exploit to work. Other default settings of interest for this test included the enabling of Active scripting and a small number of Active X controls, including Flash. Your results may vary.

CrackMan
XP/XP2; IE6/SP2

 

So disabling iframes is another possible protection?

 

No, a different issue here. This is not related to the "Execute by Hyperlink" capability that is enabled by the permission Launching programs and files in an IFRAME -- something that one should never permit except in very special circumstances. Microsoft documents this at http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q232077 . Secunia is reporting another variation on frame weaknesses that have plagued IE, and other browsers, over the years. I say "weakness" because this again is a spoof, not an exploit.

CrackMan

 

It does not work for me at all, so it looks like this is no issue with hardened IE security settings.

 

Rasheed:

True. You and probably most individuals who tune into this, or other security-conscious sites, will likely have hardened browsers that will be immune to this issue. Problem is, the default "Medium" security that is recommended for IE's Internet Zone will leave your average John Doe vulnerable. Specifically, the Medium Template enables Navigate sub-frames across different domains as well as the active scripting and ActiveX needed for this particular demonstration to work.

This permission is not totally useless; specifically, anyone who does a search by using the Search Companion (clicking the magnifying glass in IE's Toolbar) will in essence open up a "frame" on the left side of the screen. When one clicks a result, IE navigates the new web page into the right-hand "frame" if it is permitted to do so via the aforementioned permission. Even though the web page itself might not use frames, IE treats the simultaneous existence of separate web sites as a cross-subframe issue.

CrackMan
XP/IE6/SP2

 

Yes, a lot of (old) and maybe even new exploits don´t even work with the Internet/Local Machine Zone locked down. Disabling a lot of ActiveX controls and some URL Protocol handlers used by IE also makes sense of course, since they all can be used as attack vectors. But I see that MS has learned from there mistakes and finally configured IE7 in the most secure way. And IMO most of us do not need all these features in IE anyway, I mean I have never run into any problems with any websites.