Cross-domain vulnerability
in Internet Explorer (IE)
A cross-domain vulnerability in Internet Explorer (IE) could allow an
attacker to execute arbitrary code with the privileges of the user running IE.
Description
There is a cross-domain vulnerability in the way IE determines the security
zone of a browser frame that is opened in one domain then redirected by a web
server to a different domain. A complex set of conditions is involved, including
a delayed HTTP response (3xx status code) to change the content of the frame to
the new domain. Vulnerability Note
VU#713878 describes this vulnerability in more technical detail and will be
updated as further information becomes available.
Other programs that host the WebBrowser ActiveX control or use the MSHTML
rendering engine, such as Outlook and Outlook Express, may also be affected.
This issue has been assigned CVE CAN-2004-0549.
What might happen if my web browser is exposed to a malicious script?
Among the possibilities are that an attacker could capture
your password and other information you believe is protected. You should also be
concerned because malicious scripts can be used to expose restricted parts of
your organization's local network (such as their intranet) to attackers who are
on the Internet.
Some web browsers contain vulnerabilities in the security systems that
determine what access a script should have to your computer or other web sites.
In the case of these cross-zone or cross-domain vulnerabilities, a malicious
script could download and install arbitrary software on your computer, or read
or modify data on another web site.
Malicious scripts can also be used to alter the appearance of the browser,
thus making social engineering or "phishing" attacks more successful. For
example, a malicious script might open a browser windows outside of the visible
screen area or cover the address bar with a spoofed address.
Attackers may be able to use malicious scripts to infect cookies with copies
of themselves. If the infected cookie is sent back to a vulnerable web site and
passed back to your browser, the malicious script may start running again. Note:
This is not a vulnerability in web cookies; rather, a malicious script takes
advantage of the functionality of cookies.
Impact
By convincing a victim to view an HTML document (web page, HTML email), an
attacker could execute script in a different security domain than the one
containing the attacker's document. By causing script to be run in the Local
Machine Zone, the attacker could execute arbitrary code with the privileges of
the user running IE.
Publicly available exploit code exists for this vulnerability, and US-CERT
has monitored incident reports that indicate that this vulnerability is being
actively exploited.
Solution
Until a complete solution is available from Microsoft, consider the following
workarounds.
Disable Active scripting and ActiveX controls
Disabling Active scripting and ActiveX controls in the Internet Zone (or any
zone used by an attacker) appears to prevent exploitation of this vulnerability.
Disabling Active scripting and ActiveX controls in the Local Machine Zone will
prevent widely used payload delivery techniques from functioning. Instructions
for disabling Active scripting in the Internet Zone can be found in the
Malicious Web Scripts FAQ. See Microsoft
Knowledge Base Article 833633 for information about securing the
Local Machine Zone. Also, Service Pack 2 for Windows XP (currently at
RC1) includes these and other security enhancements for IE.
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages, web
forums, or internet relay chat (IRC) channels. While this is generally good
security practice, following this behavior will not prevent exploitation of this
vulnerability in all cases.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and prevent
some exploit attempts. Variations of exploits or attack vectors may not be
detected. Do not rely solely on anti-virus software to defend against this
vulnerability. More information about viruses and anti-virus vendors is
available on the US-CERT Computer Virus
Resources page.
| 
