RealTime IT News

IE Frame Exploit Grabs Keystrokes

Network security firm iDEFENSE is warning of a vulnerability that grabs a Web surfer's login and password keystrokes in Internet Explorer (IE).

The exploit, which affects IE 5 and 6 running on Windows 2000 Professional and Windows XP Professional, bypasses a Microsoft restriction that prevents multiple frames on one Web page running from two different domains, allowing a cracker to record keystrokes performed by its victims.

Microsoft security experts have not labeled the exploit a security vulnerability, however, and instead rate it as more of a spoofing attack, and plan to fix the bug in its next service pack. They also said users who have downloaded the latest patches should be safe from the attack and directed users to visit its safe browsing Web page.

"In this particular spoofing scenario, similar to most spoofing attacks, a user must be enticed into providing personal information without verifying the identity of the Web site collecting the information," Microsoft's response to iDEFENSE stated.

There are a couple of methods end users can take to avoid falling victim to the exploit. In order for an attacker to get their malicious code to work, an attacker would have to provide a link, via an email for example, telling the user to visit a particular Web site where they have login privileges.

This link instead forwards them to the exploiter's Web site, which contains the Web site they are looking to break into within their own frame containing the JavaScript that records keystrokes.

It's a relatively easy exploit to uncover: for example, if the link directs you to the password-protected Web site, but the address bar contains a different Web address, users can just elect to close out of the browser. Also, the digital certificate for the page will be different than the one normally displayed.

However, iDEFENSE security experts said there are several workarounds that exploiters can use to circumvent wary Web surfers: using cybersquatted URLs similar to the target site, masking the URL using another security vulnerability or creating a frameset in a popup window, which doesn't display URLs.

iDEFENSE experts also said the patch that prevents the frameset vulnerability from performing was only released this month.

iDEFENSE released a code snippet for Web administrators to ensure their Web page can't be encapsulated within another Web site (the code ensures the admin's framesets are the top-level frames within a Web page):

if (top != self)