18th May 2000 [SBWID-1318]
COMMAND
Frame Domain Verification, Unauthorized Cookie Access and Malformed
Component Attribute
SYSTEMS AFFECTED
Microsoft Internet Explorer 4.0, 4.01, 5.0 and 5.01
PROBLEM
Following is a based on a Security Bulletin from the Microsoft.
The three security vulnerabilities eliminated by this patch are
unrelated to each other except by the fact that they all occur
in the same .dll. We have packaged them together for customer
convenience. The vulnerabilities are:
- \"Frame Domain Verification\" vulnerability. When a web server
opens a frame within a window, the IE security model should
only allow the parent window to access the data in the frame
if they are in the same domain. However, two functions
available in IE do not properly perform domain checking, with
the result that the parent window could open a frame that
contains a file on the local computer, then read it. This could
allow a malicious web site operator to view files on the
computer of a visiting user. The web site operator would need
to know (or guess) the name and location of the file, and could
only view file types that can be opened in a browser window.
This was reported by Mead & Company\'s Andrew Nosenko.
- \"Unauthorized Cookie Access\" vulnerability. By design, the IE
security model restricts cookies so that they can be read only
by sites within the originator\'s domain. However, by using a
specially-malformed URL, it is possible for a malicious web
site operator to gain access to another site\'s cookie and read,
add or change them. A malicious web site operator would need
to entice a visiting user into clicking a link in order to
access each cookie, and could not obtain a listing of the
cookies available on the visitor\'s system. Even after
recovering a cookie, the type and amount of personal information
would depend on the privacy practices followed by the site that
placed it there. This was reported by Marc Slemko.
Update
======
Sample exploit :
http://passport.com%20.sub.znep.com/cgi-bin/cookies
...will cause IE to connect to the hostname specified, but send the
cookies to the server based on the hostname before the \"%20\", in this
case passport.com. The \"%20\" is the URL encoded version of a space
character. \"%20\" isn\'t the only character that works, there are a
variety of others that are also misparsed.
However secure cookies dosen\'t seemed vulnerable.
======
More details on : [http://alive.znep.com/~marcs/security/iecookie2/]
- \"Malformed Component Attribute\" vulnerability. The code used to
invoke ActiveX components in IE has an unchecked buffer and
could be exploited by a malicious web site operator to run code
on the computer of a visiting user. The unchecked buffer is
only exposed when certain attributes are specified in
conjunction with each other. This was reported by UNYUN, the
Shadow Penguin Security Research Group of Japan.
SOLUTION
Patch availability:
http://www.microsoft.com/windows/ie/download/critical/patch6.htm
http://www.microsoft.com/technet/security/bulletin/ms01-055.asp
http://www.microsoft.com/windows/ie/downloads/critical/q312461/default.asp
The patches require IE 4.01 Service Pack 2 or IE 5.01 to install.
Customers using versions prior to these may receive a message
reading \"This update does not need to be installed on this
system\". This message is incorrect. More information is
available in KB article Q262509.
The patch also eliminates a new variant of the previously
addressed WPAD Spoofing vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
