Microsoft Internet Explorer 'Chromeless' Window May Let Remote Users Spoof Various User Interface Characteristics
|
|
SecurityTracker Alert ID: 1007190
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 14 2003
|
Impact: Modification of user information
|
Exploit Included: Yes
|
Version(s): 5.5 and later
|
Description: A vulnerability was reported in Microsoft Internet Explorer in the use of 'chromeless' windows. A remote user can modify the appearance of a web page to trick the target user.
It is reported that the window.createPopup method allows a remote user to open a chromeless window that can overlay a genuine window.
This allows the remote user to create fake or modified user interfaces on the target user's system.
Some demonstration exploit
pages are available at:
http://www.doxdesk.com/personal/posts/bugtraq/20030713-ie/
According to the report, some other exploit
methods were removed in IE 6 SP1, but this particular method remains vulnerable.
The vendor has reportedly been notified (on
January 23, 2003).
|
Impact: A remote user can create HTML that, when loaded on the target user's computer, will create the appearance of an alternate user interface. This can be used to trick the target user into inadvertently performing an input action.
|
Solution: No solution was available at the time of this entry.
The author indicates that, as a workaround, you can disable Active Scripting on the target computer.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Windows (Any)
|
Reported By: Andrew Clover <and-bugtraq@doxdesk.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 13 Jul 2003 19:20:21 +0000
From: Andrew Clover <and-bugtraq@doxdesk.com>
Subject: IE chromeless window vulnerabilities
|
Title: IE chromeless window vulnerabilities
Affects: Internet Explorer 5.5 and later
Risk: Medium
Introduction
------------
A window without a frame, title bar, toolbars or scroll bars is known as
a 'chromeless' window. If a chromeless window can be opened on top of
other windows, it is possible to impersonate Windows user interface
elements.
Why is this a security problem? Because Windows and browser UI elements
are themselves part of security mechanisms. If the UI for security features
can be faked, users can be tricked into making inappropriate decisions.
The 'traditional' way of doing chromeless windows was to use the DHTML
method window.open to open a full-screen browser window (which is
chromeless) and then resize this to smaller dimensions. This capability
was removed in IE6 Service Pack 1, presumably due to exactly these
security concerns.
The problem
-----------
It is still possible to get chromeless windows by using the
window.createPopup method. A window opened with createPopup has some
unusual properties:
- It is closed when one clicks on the outside the popup. This is easy
to circumvent by simply re-spawning it on close.
- It cannot be focused. (It is impossible to put controls like text
input fields in it; this, at least, prevents us from overlaying
fake login forms onto other websites.) Focus stays with the opener
window.
- It floats above other normal windows, allowing it to obscure them
even whilst they are focused.
One popup may be created per window, allowing one to overlay an
arbitrary rectangle of screen display area with fake UI. More complicated
overlays can be achieved by having multiple windows opening popups at
once; a popup is itself a window so can be used to open further popups.
Exploitation
------------
There are three simple exploit demonstrations at:
http://www.doxdesk.com/personal/posts/bugtraq/20030713-ie/
One fakes the address bar to seem to be another site; another tries to
trick the user into adding a bookmark to the favorites menu by hiding the
dialog box that has focus; another hides an ActiveX download prompt in
order to fool the user into allowing arbitrary code to be run. These
exploits are unpolished and could no doubt be made more convincing and
robust, but this demonstrates the risk.
Solution
--------
window.createPopup() should have the same chromeless window restrictions as
createModalDialog() and createModelessDialog().
Workaround
----------
Disable Active Scripting.
Vendor response
---------------
Microsoft were informed of the problem on 23rd January. After initially
encouraging e-mails, no action has been taken since.
I am posting this issue now as I have seen it being exploited in the
wild.
If you use IE, be extremely wary of trusting what appear to be its
built-in security controls.
--
Andrew Clover
mailto:and@doxdesk.com
http://www.doxdesk.com/
|
|
