|
| |
|
Security Intelligence Operations
Microsoft Internet Explorer Object-Based Window Location Cross-Domain Security Bypass Vulnerability |
| |
| Vulnerability Alert | Powered by  |
|
|
| Threat Type: | Exploit Host or Network Trust: Exploit System Trust |
|
| IntelliShield ID: | 16154 |
| Version: | 2 |
| First Published: | June 27, 2008 03:43 PM EDT |
| Last Published: | October 14, 2008 03:54 PM EDT |
| Vector: | Network |
| Authentication: | None |
| Exploit: | Proof-of-Concept |
| Port: |
Not Available
|
| CVE: | CVE-2008-2947 |
| BugTraq ID: | 29960 |
| |
| Urgency: |
Unlikely Use
|  |
| Credibility: |
Confirmed
|  |
 | Severity: |
Moderate Damage
|  |
| CVSS Base: | 9.3 |
CVSS Calculator
CVSS Version 2
|
| CVSS Temporal: | 7.3 |
|
|
| |
| Version Summary: | Microsoft has released a security bulletin and updated software to address the object-based window location cross-domain security bypass vulnerability in Internet Explorer. |
| |
| |
| Description |
|
Microsoft Internet Explorer contains a vulnerability that could allow an attacker to bypass cross-domain security restrictions..
This vulnerability exists due to insufficient cross-domain security restrictions on document windows. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to visit a malicious site. If successful, the attacker could access sensitive browser-based information from a third-party site. On Windows 2000 systems, an attacker may also be able to leverage this vulnerability to execute arbitrary code with the privileges of the user.
Proof of Concept code is publicly available.
Microsoft has confirmed this vulnerability and released updated software. |
| |
| Warning Indicators |
|
Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP1 and prior and Internet Explorer 7.0 are vulnerable on the following operating systems:
- Windows 2000 SP4 and prior
- Windows XP SP3 and prior
- Windows XP Professional x64 Edition SP2 and prior
- Windows Server 2003 SP2 and prior
- Windows Server 2003 for Itanium-based Systems SP2 and prior
- Windows Server 2003 x64 Edition SP2 and prior
- Windows Vista SP1 and prior
- Windows Vista x64 Edition SP1 and prior
- Windows Server 2008 for 32-bit Systems
- Windows Server 2008 for x64-based Systems
- Windows Server 2008 for Itanium-based Systems
|
| |
| IntelliShield Analysis |
|
To exploit the vulnerability, an attacker must convince a user to visit a malicious website. The attacker may provide URLs to the website in e-mail messages. From the malicious site, the attacker could open a new window to a trusted, third-party site that an attacker could monitor from the malicious site. The attacker could access information contained within that third-party website or monitor user-supplied input.
An attacker could leverage this vulnerability to conduct phishing attacks by targeting financial websites or other trusted sites and stealing input account information or cookie-based authentication credentials.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the October 2008 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for October 2008 |
| |
| Vendor Announcements |
|
Microsoft has released a security bulletin at the following link: MS08-058
US-CERT has released a vulnerability note available at the following link: VU#923508 |
|
| |
| Impact |
|
An unauthenticated, remote attacker could exploit this vulnerability to access sensitive information within other domain zones in a user's browser, violating cross-domain security protections. On Windows 2000 systems, an attacker may also be able to leverage this vulnerability to execute arbitrary code with the privileges of the user. |
| |
| Technical Information |
|
This vulnerability is due to insufficient cross-domain security restrictions on document windows. Internet Explorer fails to properly restrict the interaction of cross-domain scripts on windows opened using resource locations supplied as an object of that window. As a result, those scripts could gain access to information from external domains, possibly allowing an attacker to access sensitive browser-based information.
An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to visit a malicious website. The attacker could then trigger the opening of a new window to a trusted domain with a URL supplied as a property of that object. The attacker may run scripts from the malicious domain that could allow the attacker to access sensitive information contained within that trusted domain, such as cookie-based authentication, or monitor user input to that trusted site. On Windows 2000 systems, an attacker may also be able to execute arbitrary code with the privileges of the user. |
| |
| Safeguards |
|
Administrators are advised to apply the appropriate update.
Administrators may consider configuring Internet Explorer to prompt users before running Active Scripting or ActiveX Controls by setting the Internet and Local Intranet security zone settings to High. Alternately, administrators could disable Active Scripting and ActiveX Controls in these security zones.
Users are advised not to follow unsolicited links. Users should verify the authenticity of unexpected links prior to following them.
Users may consider using an alternate browser application where possible.
Users are advised to add trusted sites to the Internet Explorer Trusted sites zone. |
| |
| Patches/Software |
|
Microsoft has released updated software at the following links:
|
|
| Signatures |
| |
|
|
| |
| Alert History |
| |
Version 1, June 27, 2008, 3:43 PM: Microsoft Internet Explorer contains a vulnerability that could allow an attacker to execute scripts within a user's browser that may bypass security restrictions and gain access to information from other security domains. Updates are not available. |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
| |
