INFORMATION ALERT


AN EMERGING ISSUE WITH:
MICROSOFT INTERNET EXPLORER CROSS-SITE SCRIPTING VULNERABILITY


SEVERITY:
Medium

DATE:
April 17, 2002


SUMMARY:

Bugtraq posts yesterday and today from unrelated security
researchers describe flaws in Internet Explorer (IE) versions 5,
5.5, and 6 that allow Cross-Site Scripting (CSS) attacks. A hacker
could exploit this flaw to execute code on your machine, run scripts
within the My Computer zone, or hijack your MSN Messenger client.
There is no direct impact on WatchGuard products. Administrators
using IE 5.x or 6 in their network should evaluate following the
workaround below until a patch is available.


EXPOSURE:

Internet Explorer includes some methods that Web sites can use to
open dialog windows. Once a dialog window is open, the Web site can
pass objects between its page and the dialog window. To make this
feature more secure, IE performs a validation and only allows Web
sites to interact with dialog windows that are in the same domain
and using the same port or protocol as the original page. If a Web
site opens a dialog window to a third party site, IE should prevent
any interaction between the two.

However, in his advisory <http://jscript.dk/adv/TL002/>, Thor
Larholm explains that "unfortunately, the validation code only
checks the original URL instead of the final URL." Bear in mind that
a dialog box is simply more HTML code, so from IE's viewpoint it is
another Web page. To execute the attack, a hacker would craft
malicious HTML code (which could be on a Web site, or sent as an
HTML e-mail to the victim). When clicked on, the HTML would open a
specially-crafted dialog box in the proper domain to pass IE's URL
validation check. But further code in the dialog box could then
redirect the victim from the originating site to the desired dialog
page, fooling IE's dialog security measure. With this security
measure out of the way, the hacker is free to pass information back
and forth between any site in the dialog box, and his own site.

This would be bad enough on its own (for example, using this
technique an attacker could redirect you to an e-trading site and
see what you do). But Larholm also discovered that some of the
default error pages that ship with IE 6 are susceptible to this
vulnerability. By applying this Cross-Site Scripting attack
<http://www.microsoft.com/technet/tre...echnet/securit
y/topics/ExSumCS.asp>
to these default error pages, a hacker could run scripts in IE's My
Computer zone (less restricted), hijack your MSN Messenger client,
or run any program on your machine.

In Larholm's original advisory, IE6 was the only version of IE
susceptible to this Cross-Site Scripting attack. However, GreyMagic
quickly followed with an advisory <http://sec.greymagic.com/adv/gm001-ax/>
confirming Larholm's findings and describing a component that ships
with IE5 and 5.5 which is also vulnerable to this Cross-Site
Scripting attack. In short, IE 5, 5.5 and 6 are all susceptible.


SOLUTION PATH:

Microsoft has not released a patch yet. However, according to
Larholm, IE users can prevent this attack by disabling scripting in
IE. To do this, click on Tools => Internet Options => Security tab
in IE. Highlight the Internet zone and click the Custom Level
button. Scroll down till you find "Active Scripting" and check
Disable. Finally, click on OK twice. Keep in mind, many Web sites
and HTML based applications might require Active Scripting for
normal usage. Disabling Active Scripting could prevent safe sites
from working properly.