June 4th, 2007
Gaping holes exposed in fully-patched IE 7, Firefox
Polish hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE 6, IE 7 and Firefox 2.0.
Zalewski, a well-respected security researcher, published demos of four different browser vulnerabilities on the Full Disclosure mailing list, warning of unpatched cookie stealing, page hijacking, memory corruption and URL bar spoofing bugs.
The most serious of the four — a page update race condition affecting Microsoft’s IE 6 and IE 7 — is rated “critical.” Zalewski explains with an online demo of an exploit:
In short, when Javascript code instructs MSIE to navigate away from a page that meets same-domain origin policy (and hence can be scriptually accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed Javascript to perform actions with the permissions for the old page, but actual content for the newly loaded page, for example: read or set victim.document.cookie, arbitrarily alter document DOM, including changing form submission URLs, injecting code, or even crashing the browser due to memory corruption while reading and writing not fully initialized data structures.
“In other words, the entire security model of the browser collapses like a house of cards and renders you vulnerable to a plethora of nasty attacks,” Zalewski warns, noting that local system compromise is also possible.
Zalewski also dropped details of a “major” Firefox cross-site IFRAME hijacking bug that could allow malicious code execution, keystroke interception and content spoofing attacks. Click here for an online demo and technical details.
Mozilla developers are tracking the issue, which is a variant of a bug that has haunted Firefox since 2006.
Demos of two other medium-risk flaws affecting IE and Firefox were also released.
One is a Firefox prompt-delay bypass issue (demo here) that allows non-consensual download of execution of files.
A sequence of blur/focus operations can be used to bypass delay timers implemented on certain Firefox confirmation dialogs, possibly enabling the attacker to download or run files without user’s knowledge or consent.
The other is a URL bar spoofing flaw that affects IE 6 (demo here). It could allow an attacker to mimic an an arbitrary site, possibly including SSL data. Internet Explorer 7 is not affected by this bug because of certain high-level changes in the browser, Zalewski said.
[UPDATE: June 4, 2007 @ 1:50 PM] Microsoft is looking into Zalewski’s warning. A statement from an MSRC spokesman:
Microsoft is investigating new public claims of two possible vulnerabilities in Internet Explorer. Microsoft is not aware of any attacks attempting to use the possible vulnerabilities or of customer impact at this time. Microsoft will continue to investigate the claims to help provide additional guidance for customers as necessary.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
[NT]
