April 17th, 2002, 10:38 PM
April 17 Alert: IE Cross-Site Scripting
AN EMERGING ISSUE WITH:
MICROSOFT INTERNET EXPLORER CROSS-SITE SCRIPTING VULNERABILITY
April 17, 2002
Bugtraq posts yesterday and today from unrelated security
researchers describe flaws in Internet Explorer (IE) versions 5,
5.5, and 6 that allow Cross-Site Scripting (CSS) attacks. A hacker
could exploit this flaw to execute code on your machine, run scripts
within the My Computer zone, or hijack your MSN Messenger client.
There is no direct impact on WatchGuard products. Administrators
using IE 5.x or 6 in their network should evaluate following the
workaround below until a patch is available.
Internet Explorer includes some methods that Web sites can use to
open dialog windows. Once a dialog window is open, the Web site can
pass objects between its page and the dialog window. To make this
feature more secure, IE performs a validation and only allows Web
sites to interact with dialog windows that are in the same domain
and using the same port or protocol as the original page. If a Web
site opens a dialog window to a third party site, IE should prevent
any interaction between the two.
However, in his advisory <http://jscript.dk/adv/TL002/>, Thor
Larholm explains that "unfortunately, the validation code only
checks the original URL instead of the final URL." Bear in mind that
a dialog box is simply more HTML code, so from IE's viewpoint it is
another Web page. To execute the attack, a hacker would craft
malicious HTML code (which could be on a Web site, or sent as an
HTML e-mail to the victim). When clicked on, the HTML would open a
specially-crafted dialog box in the proper domain to pass IE's URL
validation check. But further code in the dialog box could then
redirect the victim from the originating site to the desired dialog
page, fooling IE's dialog security measure. With this security
measure out of the way, the hacker is free to pass information back
and forth between any site in the dialog box, and his own site.
This would be bad enough on its own (for example, using this
technique an attacker could redirect you to an e-trading site and
see what you do). But Larholm also discovered that some of the
default error pages that ship with IE 6 are susceptible to this
vulnerability. By applying this Cross-Site Scripting attack
to these default error pages, a hacker could run scripts in IE's My
Computer zone (less restricted), hijack your MSN Messenger client,
or run any program on your machine.
In Larholm's original advisory, IE6 was the only version of IE
susceptible to this Cross-Site Scripting attack. However, GreyMagic
quickly followed with an advisory <http://sec.greymagic.com/adv/gm001-ax/>
confirming Larholm's findings and describing a component that ships
with IE5 and 5.5 which is also vulnerable to this Cross-Site
Scripting attack. In short, IE 5, 5.5 and 6 are all susceptible.
Microsoft has not released a patch yet. However, according to
Larholm, IE users can prevent this attack by disabling scripting in
IE. To do this, click on Tools => Internet Options => Security tab
in IE. Highlight the Internet zone and click the Custom Level
button. Scroll down till you find "Active Scripting" and check
Disable. Finally, click on OK twice. Keep in mind, many Web sites
and HTML based applications might require Active Scripting for
normal usage. Disabling Active Scripting could prevent safe sites
from working properly.
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
April 17th, 2002, 10:49 PM
Thanks Zigar, I happen to be working in a business where the system admins are idiots at best when it comes to security. I'll bring this up at the next meeting.
If you don\'t tell me what I want to know, in 5 minutes I\'ll be the only person left standing at this table...5 minutes after that, I\'ll be the only person left standing in this room.