Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer Lets Remote Users Spoof Certain Objects
SecurityTracker Alert ID:  1018193
SecurityTracker URL:
CVE Reference:   CVE-2007-3092   (Links to External Site)
Updated:  May 12 2008
Original Entry Date:  Jun 5 2007
Impact:   Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 6
Description:   A vulnerability was reported in Microsoft Internet Explorer. A remote user can spoof portions of the browser window.

A remote user can create specially crafted HTML that, when loaded by the target user, will manipulate 'location' DOM objects to spoof the URL bar, page dialogs, or SSL certificates.

A demonstration exploit is available at:

Michal Zalewski discovered this vulnerability.

Impact:   A remote user can spoof portions of the browser window.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents

Date:  Mon, 4 Jun 2007 13:02:40 +0200 (CEST)
Subject:  Assorted browser vulnerabilities


Will keep it brief. A couple of browser bugs, fresh from the oven, hand
crafted with love:

1) Title    : MSIE page update race condition (CRITICAL)
   Impact   : cookie stealing / setting, page hijacking, memory corruption
   Demo     :

   ...aka the bait & switch vulnerability.

   When Javascript code instructs MSIE6/7 to navigate away from a page
   that meets same-domain origin policy (and hence can be scriptually
   accessed and modified by the attacker) to an unrelated third-party
   site, there is a window of opportunity for concurrently executed
   Javascript to perform actions with the permissions for the old page,
   but actual content for the newly loaded page, for example:

     - Read or set victim.document.cookie,

     - Arbitrarily alter document DOM, including changing form submission
       URLs, injecting code,

     - Read or write DOM structures that were not fully initialized,
       prompting memory corruption and browser crash.

   This is tested on MSIE6 and MSIE7, fully patched.

2) Title    : Firefox Cross-site IFRAME hijacking (MAJOR)
   Impact   : keyboard snooping, content spoofing, etc
   Demo     :
   Bugzilla : [May 30]

   Javascript can be used to inject malicious code, including key-snooping
   event handlers, on pages that rely on IFRAMEs to display contents or
   store state data / communicate with the server.

   This is related to a less severe variant independently reported by
   Ronen Zilberman two weeks earlier (bug 381300).

3) Title    : Firefox file prompt delay bypass (MEDIUM)
   Impact   : non-consentual download or execution of files
   Demo     :
   Bugzilla : [Apr 04]

   A sequence of blur/focus operations can be used to bypass delay timers
   implemented on certain Firefox confirmation dialogs, possibly enabling
   the attacker to download or run files without user's knowledge or

3) Title    : MSIE6 URL bar spoofing (MEDIUM)
   Impact   : mimicking an arbitrary site, possibly including SSL data
   Demo     :

   MSIE6 vulnerability, similar but unrelated to my earlier onUnload
   entrapment flaw, allows sites to spoof URL bar data.

   MSIE7 is not affected because of certain high-level changes in the


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2015, LLC