(Vendor Issues Fix) Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions
|
|
SecurityTracker Alert ID: 1013122 |
|
SecurityTracker URL: http://securitytracker.com/id/1013122
|
|
CVE Reference:
CAN-2004-0839, CAN-2004-0841
(Links to External Site)
|
Date: Feb 8 2005
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in Microsoft Internet Explorer in popup.show(). A remote user can take arbitrary mouse-based actions on the target system.
Paul from GreyHats Security Group reported that a remote user can create HTML that uses the popup.show() function with the 'on mousedown' event to take mouse-based actions on the target user's system [CVE: CAN-2004-0841].
A demonstration exploit is available at:
http://freehost07.websamba.com/greyhats/hijackclick3.htm
http-equiv subsequently reported that this vulnerable function can be used in conjunction with the previously reported "shell://" vulnerability to execute arbitrary code on the target user's system.
Some demonstration exploit code is provided:
<img src="greyhat.html" id=anch
onmousedown="parent.nsc.style.width=2000;parent.nsc.style.height=
2000;parent.pop.show(1,1,1,1);parent.setTimeout('showalert
()',3000);" style="width=168px;height=152px;background-image:url
('youlickit.gif');cursor:hand" title="click me!"></a>
location="shell:favorites\\greyhat[1].htm"
A demonstration exploit is available at:
http://www.malware.com/paul.html
On August 18, 2004, http-equiv provided an additional exploit example [CVE: CAN-2004-0839], available at:
http://www.malware.com/wottapoop.html
When this exploit example is followed, an executable file will be placed in your Windows Startup folder. Some user interaction is required in the example, but comments in the code note that it may be possible to automate the exploit.
|
Impact:
A remote user can create HTML that will execute mouse-click actions on the target user's computer.
|
Solution:
The vendor has issued the following fixes:
Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=3B6A6CC1-CCE4-4462-A0D2-E88D38DEF807
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=865B5D9D-FC5B-4F91-A860-2C35A025A907
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium):
http://www.microsoft.com/downloads/details.aspx?FamilyId=B6DAA99A-6E0B-477D-99E9-5237BCF57762
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium):
http://www.microsoft.com/downloads/details.aspx?FamilyId=9EE7FF53-20EC-4B75-A255-72DD0AB52FF3
Microsoft Windows Server 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=80AA33F4-E5B0-42A6-844B-F80D6168E25E
Microsoft Windows Server 2003 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9EE7FF53-20EC-4B75-A255-72DD0AB52FF3
A restart is required.
Please note that this vulnerability also requires that you apply the cumulative updated described in MS05-014, available at:
http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms05-008.mspx (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (98), Windows (2000), Windows (2003), Windows (XP)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 8 Feb 2005 16:04:42 -0500
Subject: http://www.microsoft.com/technet/security/bulletin/ms05-008.mspx
|
MS05-008
CVE: CAN-2004-0985, CAN-2004-0839, and CAN-2003-1027
|
|
