D-Day - another IE flaw
John McCormick
Published: 28 Oct 2002 16:34 GMT
The Israeli security firm GreyMagic recently sent me a note describing the 11th vulnerability its researchers have found in Microsoft's Internet Explorer, and this one is a really strange threat because it applies only when a particular property (Document) is spelled with an initial capital D. Thus, it has been dubbed the D-Day vulnerability. The breaking news was covered on ZDNet UK GM#011-IE on NTBugtraq. GreyMagic said that between September 26 and the day it sent us the notification, the company tested various programs and developed its proof-of-concept to validate the discovery. It notified Microsoft of the problem at the same time it notified me and posted its advisory.
Regarding the common practice of notifying Microsoft before warning clients and the press, a GreyMagic spokesperson said, "After quite a few experiences with the [Microsoft Security Response Center], we know that a week or two would make no difference as far as Microsoft is concerned. They take months and months to patch the issues."
According to data sent to me by the company, it has typically taken Microsoft from three to six months to patch vulnerabilities reported to them by GreyMagic. The firm closed its comments to me by saying, "We'd rather warn customers early than give a 'formal' grace period to Microsoft."
GM#011-IE provides links to several proof-of-concept demonstrations, including a demo showing how to read someone's Google.com cookie.
Iframe and frame elements in the WebBrowser control often contain URLs for other Web sites, and most times, strict security controls manage these potential cross-scripting threats. The problem GreyMagic discovered lies in just one property, Document, which isn't properly protected in several versions of IE (as specified below under Applicability).
What this means is that, for example, oElement.document provides a link to the current element, but oIFrameElement.Document will return the frame element with no security check to see whether it is coming from a different domain.
This is explained in some detail in the GreyMagic Security Advisory, but the key phrase in the advisory is, "This provides free and full access to the frame's Document Object Model," making it possible for an attacker to read cookies and other local files or even run programs on the vulnerable system in the My Computer zone.
See Microsoft's report for a brief explanation of cross-frame scripting security.
Applicability
Versions of IE 5.5 are not vulnerable to this threat. IE 5.5 with Service Pack 2 installed and IE 6 without SP1 installed are both vulnerable, but according to GreyMagic's report, "Surprisingly, this vulnerability does not exist in IE6 SP1. It's hard to believe that Microsoft actually meant to plug it, [since] IE5.5 remains vulnerable, yet somehow this stray property has been covered in [IE6 SP1]."
GreyMagic reports successfully testing this vulnerability on IE 5.5 running on Win98 and NT4, as well as IE6 running on Win98, Win2K, and XP. In addition, GreyMagic points out that this would affect any application using IE's WebBrowser control, such as Microsoft Outlook.
Risk level -- critical
Although GreyMagic doesn't post such ratings, and Microsoft hadn't responded to this report at the time of this writing, I would rate this as a critical vulnerability, one that needs to be dealt with quickly. Fortunately, the fix is relatively easy.
Fix
Disable Active Scripting or upgrade to IE 6 and install SP1.
Bottom line
The statistics I collect at one of my own Web sites show that nearly 48 percent of visitors are using IE 6 and 44 percent are running IE 5.5, although I don't have any way of tracking which have applied service packs or patches. Nevertheless, this shows that a lot of people are using the versions of IE that have this vulnerability.
Interestingly enough, based on my site statistics, even people running old operating systems such as Windows 98 are running newer versions of IE, which surprised me. I would have guessed that those who haven't upgraded their base OS probably haven't updated their browser either -- but apparently that's not the case. At any rate, it's clear that this flaw threatens a lot of systems.
Have your say instantly, in the Tech Update forum.
For a weekly round-up of the enterprise IT news, sign up for the Tech Update newsletter.
Find out what's where in the new Tech Update with our Guided Tour.
Tell us what you think in the Mailroom.
Did you find this article useful?
34 out of 92 people found this useful
- Share this article:
