Israeli-based security firm Grey Magic Monday issued a warning that a new
vulnerability discovered in Microsoft’s Internet Explorer (IE) could allow attackers to
compromise your computer through a Web site’s frames.
All versions of the popular Web browser 5.5 and above are vulnerable
to the flaw, as well as any other application that uses IE’s engine, such as
Outlook and MSN Explorer.
The vulnerability allows an attacker to execute script on any page that
contains frame or iframe (inline frame) elements, ignoring any protocol or
domain restriction set forth by IE.
By executing script, an attacker could steal cookies from almost any site,
access and change content in sites and in most cases also read local files
and execute arbitrary programs on the client’s machine.
Frames, which are essentially sections of the browser display that are
separate Web pages, may contain URLs in other domains or protocols, and
therefore have strict security rules, which prevent frames in one domain to
access content and information in another.
It is possible, however, to set the frame’s URL. Setting the child frame’s
URL to “javascript:[code]” will execute the script in the context of the
currently loaded URL.
In order to capitalize on the vulnerability to access the “My Computer”
zone, an attacker would have to find a local file or resource that contains
a frame or an iframe. According to GreyMagic, this would be quite an easy
task for users of IE version 6, as Microsoft provided such a resource,
ironically named “PrivacyPolicy.dlg”.
By loading “res://shdoclc.dll/privacypolicy.dlg” and then changing the URL
of the frame it contains to the “javascript:[code]” an attacker could read
local files and execute arbitrary programs is to.
While “PrivacyPolicy.dlg” isn’t shipped in version 5.5, Windows ships with
several HTML files, in relatively static locations, that may contain frames.
By running a simple scan on such known local files, an attacker could locate
appropriate files and use it like “PrivacyPolicy.dlg.”
Because a patch from Microsoft is not yet available, GreyMagic is suggesting
that user disable Active Scripting, which will adequately address the issue.
Microsoft, who has become notorious for security flaws, is also currently
scrambling to find out the cause of an increase in attacks that locks out
users, installs backdoor programs, and gives an attacker remote access.
The company’s Product Support Services (PSS) Security Team issued a vague
bulletin noting the increase in malicious activity that tries to load code
on Windows 2000-based servers. This activity is typically associated with a
program that has been identified as Backdoor.IRC.Flood.
Microsoft updated it’s initial report with its latest theory, that the
activity is associated with a coordinated series of individual attempts to
compromise Windows 2000-based servers.
Noting that the attacks do not appear to exploit any new product-related
security vulnerabilities and do not appear to be viral or worm-like in
nature, Microsoft stated that the threat should be addressed by updating
standard security protocol, such as eliminating blank or weak administrator
passwords, disabling the guest account, running current antivirus software,
and using a firewall.