Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Internet Explorer Lets Remote Users Spoof Certain Objects
|
|
SecurityTracker Alert ID: 1018193 |
|
SecurityTracker URL: http://securitytracker.com/id/1018193
|
|
CVE Reference:
CVE-2007-3092
(Links to External Site)
|
Updated: May 12 2008
|
Original Entry Date: Jun 5 2007
|
Impact:
Modification of system information, Modification of user information
|
Exploit Included: Yes
|
Version(s): 6
|
Description:
A vulnerability was reported in Microsoft Internet Explorer. A remote user can spoof portions of the browser window.
A remote user can create specially crafted HTML that, when loaded by the target user, will manipulate 'location' DOM objects to spoof the URL bar, page dialogs, or SSL certificates.
A demonstration exploit is available at:
http://lcamtuf.coredump.cx/ietrap2/
Michal Zalewski discovered this vulnerability.
|
Impact:
A remote user can spoof portions of the browser window.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 4 Jun 2007 13:02:40 +0200 (CEST)
Subject: Assorted browser vulnerabilities
|
Hello,
Will keep it brief. A couple of browser bugs, fresh from the oven, hand
crafted with love:
1) Title : MSIE page update race condition (CRITICAL)
Impact : cookie stealing / setting, page hijacking, memory corruption
Demo : http://lcamtuf.coredump.cx/ierace/
...aka the bait & switch vulnerability.
When Javascript code instructs MSIE6/7 to navigate away from a page
that meets same-domain origin policy (and hence can be scriptually
accessed and modified by the attacker) to an unrelated third-party
site, there is a window of opportunity for concurrently executed
Javascript to perform actions with the permissions for the old page,
but actual content for the newly loaded page, for example:
- Read or set victim.document.cookie,
- Arbitrarily alter document DOM, including changing form submission
URLs, injecting code,
- Read or write DOM structures that were not fully initialized,
prompting memory corruption and browser crash.
This is tested on MSIE6 and MSIE7, fully patched.
2) Title : Firefox Cross-site IFRAME hijacking (MAJOR)
Impact : keyboard snooping, content spoofing, etc
Demo : http://lcamtuf.coredump.cx/ifsnatch/
Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=382686 [May 30]
Javascript can be used to inject malicious code, including key-snooping
event handlers, on pages that rely on IFRAMEs to display contents or
store state data / communicate with the server.
This is related to a less severe variant independently reported by
Ronen Zilberman two weeks earlier (bug 381300).
3) Title : Firefox file prompt delay bypass (MEDIUM)
Impact : non-consentual download or execution of files
Demo : http://lcamtuf.coredump.cx/ffclick2/
Bugzilla : https://bugzilla.mozilla.org/show_bug.cgi?id=376473 [Apr 04]
A sequence of blur/focus operations can be used to bypass delay timers
implemented on certain Firefox confirmation dialogs, possibly enabling
the attacker to download or run files without user's knowledge or
consent.
3) Title : MSIE6 URL bar spoofing (MEDIUM)
Impact : mimicking an arbitrary site, possibly including SSL data
Demo : http://lcamtuf.coredump.cx/ietrap2/
MSIE6 vulnerability, similar but unrelated to my earlier onUnload
entrapment flaw, allows sites to spoof URL bar data.
MSIE7 is not affected because of certain high-level changes in the
browser.
|
|
Go to the Top of This SecurityTracker Archive Page
|
