Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Internet Explorer (IE) May Leak Keystrokes Across Frames
|
|
SecurityTracker Alert ID: 1009243
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 27 2004
|
Impact: Disclosure of user information
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: iDEFENSE
|
Version(s): 5, 6
|
Description: iDEFENSE reported a cross-frame domain security vulnerability in Microsoft Internet Explorer. A remote user may be able to obtain a target user's keystrokes within a frameset.
It is reported that a remote user can create HTML that, when loaded by a target user, will bypass the restrictions imposed on cross
frame scripting. This can reportedly be achieved by embedding Javascript outside of the defined frameset within the parent HTML
document and forcing the target frameset to maintain focus. According to the report, keyboard events are apparently the only type
of events that are leaked.
A remote user can reportedly create malicious HTML that can monitor keystrokes typed by the target
user in the target frameset.
To exploit the flaw, the target user must click on a link for the target site that is contained
within a malicious frame. Because of this, the target user may be able to avoid exploitation by noticing an incorrect URL in the
address bar or status bar or an incorrect certificate on SSL-based connections.
A demonstration exploit is provided in the Source
Message.
The vendor was reportedly notified on February 10, 2004.
The original advisory is available at:
http://www.idefense.com/application/poi/display?id=77&ty
pe=vulnerabilities
|
Impact: A remote user may be able to capture a target user's keystrokes if the user clicks on a link in a malicious page and then types information into the resulting (valid) frame.
|
Solution: No solution was available at the time of this entry. According to the report, Microsoft does not consider this issue to represent
a security vulnerability. However, they do consider it a bug and plan to correct the bug in a future service pack.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (Any)
|
Reported By: idlabs-advisories@idefense.com
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 27 Feb 2004 10:44:41 -0500
From: idlabs-advisories@idefense.com
Subject: iDEFENSE Security Advisory 02.27.04b: Microsoft Internet Explorer
|
Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass
iDEFENSE Security Advisory 02.27.04b:
http://www.idefense.com/application/poi/display?id=77&type=vulnerabiliti
es
February 27, 2004
I. BACKGROUND
Internet Explorer is a set of core technologies in Microsoft Windows
operating systems that provide web browsing functionality. Further
information is available at http://www.microsoft.com/ie/.
II. DESCRIPTION
Exploitation of an access validation error within Microsoft Corp.'s
Internet Explorer web browser allows remote attackers to bypass the
restrictions imposed on cross frame scripting.
The problem specifically exists due to invalid restrictions within the
event handling routines of Internet Explorer. According to Microsoft
Knowledge Base Article 167796
(http://support.microsoft.com/support/kb/articles/Q167/7/96.asp)
access between frames located on different domains should be restricted.
However, it is possible to bypass this restriction by placing malicious
JavaScript outside the defined frameset within the parent HTML and
forcing the target frameset to maintain focus.
The example below will display the captured keystrokes from the
iDEFENSE registration page in the status bar of the frameset.
<html>
<head><title>IE Cross Frame Scripting Restriction Bypass Example</title>
<script>
var keylog='';
document.onkeypress = function () {
k = window.event.keyCode;
window.status = keylog += String.fromCharCode(k) + '[' + k +']';
</script>
</head>
<frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*">
<frame src="http://www.idefense.com/register.jsp" scrolling="auto">
</frameset>
</html>
Keyboard events appear to be the only events that are leaked across
framesets. The malicious JavaScript can monitor all keystrokes typed
within the targeted frameset and could be used to transmit the
keystrokes to a remote location. Such information leakage could include
confidential information such as login credentials and credit card
information. The technique does not require an attacker to replicate the
functionality of a third party web site as the victim will be
interacting with the real site.
III. ANALYSIS
Successful exploitation requires that an attacker convince a user to
follow a link allowing for the target site to be contained within a
malicious frame. A victim would be alerted to this attack by noticing an
incorrect URL in the address bar or improper name on the SSL
certificate. Therefore, chances of success can be greatly increased when
combining exploitation of this vulnerability with the Internet Explorer
URL Canonicalization Vulnerability (MS04-004). Successful exploitation
allows an attacker to obtain confidential data, which could lead to
further compromise.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability in Internet
Explorer 5 and 6 running on Windows 2000 Professional and Windows XP
Professional. Internet Explorer 5 running on Windows 98 is reported not
to be vulnerable.
V. WORKAROUND
Website administrators can prevent exploitation of this kind on their
own site by ensuring that the site is not encapsulated within a
frameset. The following snippet of JavaScript can be utilized to
accomplish this:
if (top != self)
{
top.location=self.location;
}
VI. VENDOR RESPONSE
Microsoft has not categorized this issue as a vulnerability. However,
they have stated that a bug will be opened for the issue and the
functionality will be changed in a future service pack. Their reasoning
for this assessment is provided below.
"We've reviewed this issue and determined that it isn't itself a
security vulnerability but could be used in a spoofing scenario. In
this particular spoofing scenario, similar to most spoofing attacks, a
user must be enticed into providing personal information without
verifying the identity of the Web site collecting the information.
Generally, customers can protect themselves from these types of attacks
by verifying that the Web sites they are providing information to are
the actual Web sites they intend to interact with. Specifically, to be
protected from this spoofing attack, customers should take the following
steps:
- First, verify that MS04-004 is installed. This will make certain
that customers have the most up-to-date IE. Moreover, MS04-004 provides
a fix that ensures customers can verify which Web sites they are
visiting by simply viewing the address bar.
- Second, and for customers who have not updated their computers with
MS04-004, customers can double check the identity or legitimacy of the
Web site they are viewing before inputting personal information by
double clicking on the yellow padlock icon at the bottom right corner of
the screen. This will reveal the security certificate for the visited
Web site and verify its identity.
Customers should review the best practices for safe browsing available
at http://www.microsoft.com/security/incident/spoof.asp
And finally, as always, Microsoft recommends that all customers visit
and follow the guidance on www.microsoft.com/protect"
iDEFENSE agrees with the technical aspects of the statement made by
Microsoft. However, we feel that the issue outlined in this advisory can
be exploited in such a way that would make it difficult for an end user
mitigate the potential risk through visual inspection of the address
bar. Potential avenues of attack include:
- Utilizing cybersquatted URLs similar to the target domain
- Creating the frameset in a popup window that uses scripting to avoid
displaying the address bar
- Masking the true URL using the Internet Explorer URL Canonicalization
Vulnerability (MS04-004 -
http://www.microsoft.com/technet/technet/security/Bulletin/MS04-004.asp)
The final avenue of attack presents the greatest risk given the fact
that a patch for MS04-004 was only recently released (February 2, 2004).
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE
February 4, 2004 Vulnerability acquired by iDEFENSE
February 10 2004 Initial vendor notification
February 10 2004 Initial vendor response
February 11, 2004 iDEFENSE clients notified
February 27, 2004 Public disclosure
|
|
Go to the Top of This SecurityTracker Archive Page
|
