On MovieTome: Why you didn't see Shatner in TREK
BNET Business Network:
BNET
TechRepublic
ZDNet

June 30th, 2008

Exploit code released for unpatched IE 7 vulnerability

Posted by Ryan Naraine @ 11:59 am

Categories: Arbitrary Code Execution, Botnets, Browsers, Data theft, Exploit code, Malware, Microsoft, Responsible disclosure, Spyware and Adware, Vulnerability research, Zero-day attacks

Tags: Attacker, Vulnerability, Microsoft Internet Explorer 7, Domain, Exploit Code, Microsoft Internet Explorer, Web Browsers, Internet, Ryan Naraine

Another day, another gaping hole affecting fully patched versions of Microsoft’s Internet Explorer browser.

According to a warning from US-CERT, proof-of-concept exploit code has been published for a new zero-day bug that can be used for a variety of malicious attacks against Windows users running IE 6, IE 7, and IE 8 beta 1.

The code, published here by ’sirdarckat’,  shows how the vulnerability can be exploited to hijack an iFrame in a legitimate site and capture a target’s keystrokes. This occurs because  Internet Explorer fails to properly restrict access to a document’s frames, allowing an attacker to modify the contents of frames in a different domain.

[ SEE: Zero-day flaw haunts Internet Explorer ]

This screenshot (of a proof-of-concept created by researcher Aviv Raff) shows the Google home page in a frame hijacked from Microsoft’s Windows Update site.  The security implications are rather frightening:
IE frame location vulnerability

Can you imagine if someone spoofs this page with their own rigged Microsoft Update download page?

From the US-CERT advisory:

Microsoft Internet Explorer fails to properly restrict access to a document’s frames. This can allow an attacker to replace the contents of a web page’s frame with arbitrary content. Internet Explorer still appears to enforce the cross-domain security model, which limits the actions that a malicious frame can take with the parent document. For example, a frame that exists in a different domain should not be able to access the parent document’s cookies or HTML content, or other domain-specific DOM components. However, components that are not tied to a specific domain, such as the onmousedown event. By monitoring this particular event, an IFRAME can capture keystrokes from the parent document. Other actions may be possible.

…By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker may be able to access non-domain-specific elements from a web page that exists in a different domain. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page in a different domain.

[ ALSO SEE: Internet Explorer ‘feature’ causing drive-by malware attacks ]

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 16 Talkback(s)
Yes, but if you continued a previous session
that had inserted the iframe then just changing the URL to another site is not going to ensure that the IFrame is not still present.... (Read the rest)
Posted by: dunn@... Posted on: 07/09/08 You are currently: a Guest | | Terms of Use
Your picture looks like Google hacked Microsoft  BALTHOR | 06/30/08
Can this happen if another window isn't open?  Narr vi | 06/30/08
Yes, via a hidden IFrame...  dunn@... | 07/01/08
good point, but  Narr vi | 07/01/08
Yes, but if you continued a previous session  dunn@... | 07/09/08
"unpatched"? this is obvious, because it's a new flaw  qmlscycrajg | 07/01/08
Newly Discovered  balaknair | 07/01/08
RE: Exploit code released for unpatched IE 7 vulnerability  mrlinux | 07/01/08
Yes  forrestgump2000@... | 07/01/08
So protected mode does not even help ???  mrlinux | 07/01/08
RE: Exploit code released for unpatched IE 7 vulnerability  ator1940 | 07/01/08
We can only HOPE that MS takes this seriously  dunn@... | 07/01/08
RE: Exploit code released for unpatched IE 7 vulnerability  Earthling2 | 07/02/08
Typing URL directly or using shortcut...  dudge669 | 07/02/08
good point also, and too bad Ryan too lazy to reply on it  Narr vi | 07/02/08
Always Always close the bowser before...  dunn@... | 07/09/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline