system
25
Just another reason-Patches no good-
Critical Vulnerabilities
from TippingPoint (http://www.tippingpoint.com)
MODERATE: Multiple Browsers Frame Injection Vulnerability
Affected:
Internet Explorer versions 5, 5.01 and 6
Opera version 7.5x
Mozilla version 1.6
Mozilla Firebird versions 0.7 and 0.8
Netscape version 7.1
Safari version 1.2.2
Description: An old vulnerability has been rediscovered in multiple
browsers including the widely used Internet Explorer. This vulnerability
permits a malicious website to inject a “frame” into the browser window
of another website. For example, the content from
http://www.malicious.com can be loaded into another window displaying the
content from http://www.msdn.com. The flaw can be exploited by a
malicious webpage to spoof its identity as a trusted site. This may lead
to stealing sensitive user information such as passwords, or further
compromise of the user system. Proof-of-concept exploit has been publicly
posted.
Status: Vendors have not confirmed, no patches available. Mozilla Firefox
version 0.9 and Mozilla version 1.7 are reportedly not vulnerable.
UPDATE: Internet Explorer Patch Disables ADODB.STREAM ActiveX Control
Microsoft has released a patch for Internet Explorer that disables the
ADODB.STREAM ActiveX control. This control has been utilized in exploit
code for many IE cross-domain vulnerabilities that permit an attacker to
execute arbitrary code on client systems. This control is used because it
supports methods to read and write files on the client computer. Note
that disabling the control may prevent the exploitation of IE
vulnerabilities via currently circulating exploits. However, the patch
does not fix the root cause of the problem – the cross-domain IE
vulnerabilities. Postings show how the existing IE exploit code can be
modified to compromise a patched client system. An example of modified
exploit code has been publicly posted.
References:
Microsoft Knowledge Base Article
http://support.microsoft.com/default.aspx?kbid=870669
CERT Advisory
http://www.us-cert.gov/cas/techalerts/TA04-184A.html
Posting by Russ Cooper
http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0005.html
Posting by Matthew Murphy
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0111.html
Postings by http-equiv
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0114.html
http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0010.html
Postings by Jelmer
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0131.html
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0104.html
Modified Exploit Code
Note: Clicking this link will launch an exploit
snip<
Previous @RISK Newsletter Postings (IE Vulnerabilities)
http://www.sans.org/newsletters/risk/vol3_25.php (Item #6)
http://www.sans.org/newsletters/risk/vol3_23.php (Item #1)
http://www.sans.org/newsletters/risk/vol3_7.php (Item #4)
http://www.sans.org/newsletters/risk/vol3_13.php (Item #8)
-max