A security firm warned Tuesday that two versions of Microsoft’s ubiquitous Internet Explorer host a serious flaw
that make it possible for attackers to steal cookies from Web sites, forge
content, read local files and execute arbitrary programs on a user’s PC.
The flaw, as discovered by Israel’s GreyMagic Software, is endemic to IE
versions 5.5. and 6.0. However, any application that uses IE’s engine
WebBrowser control is affected as well, including Outlook and MSN Explorer.
“It is rated very severe as it defeats all the basic protections set forth
by IE and allows access and some execution rights to local content,” Lee
Dagon, head of research and development at GreyMagic, told
internetnews.com. “An attacker may be able to read private documents,
the Windows password .DAT file, make your Amazon “buy in one click” click
anything the attacker chooses, and even get access to credit card
information in SSL-protected sites.”
Microsoft took exception to the fact that GreyMagic Software posted the flaw without having a chance to review it. A company spokesman told internetnews.com: “The Microsoft Security Response Center is thoroughly investigating this issue, just as we do with every report we receive of security vulnerabilities affecting Microsoft products. At this point in the investigation we feel strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers’ information.”
GreyMagic said the root of the problem lies with the
frame and iframe elements, which may contain URLs in other domains or
protocols, and therefore have strict security rules, which prevent frames in one domain from accessing
content and information in another.
However, while GreyMagic noted that there are many ways to refer to an
iframe, frame document in Internet Explorer,
they are really instances of the WebBrowser control supplied by Microsoft.
It is this WebBrowser control that exposes several potentially dangerous
properties by default, which Microsoft overrides in Internet Explorer.
“Microsoft missed out on one important property — “Document”, with
a capital “D”,” GreyMagic said in a new security bulletin.
The company explained further: “Normally, using “oElement.document” would
provide a reference to the document that owns the current element. The same
applies to the frame and iframe elements. However, we discovered that
when “oIFrameElement.Document” is used, the returned document is the one
contained inside the frame, and there are no security restrictions in place
to check if it’s in a different domain.”
GreyMagic said this provides full access to the frame’s Document
Object Model, which allows an attacker gain access to a person’s PC to
perform the aforementioned sinister duties.
The security firm said Internet Explorer 5.5 SP2 and Internet Explorer 6 are
vulnerable, although the vulnerability does not exist in IE6 SP1. GreyMagic
advised users to either disable Active Scripting or upgrade to IE6 SP1 until
Microsoft issues a fix.
Microsoft did not respond to queries as of press time.