A security research group known as the Greyhats Security Group has
announced a new Microsoft Internet Explorer flaw and has posted a proof of concept exploit to
back up its claims.
An individual “Greyhat” going by the name of “Paul” posted the
vulnerability, which has been confirmed by other security research firms
including Secunia on fully patched systems witn XP SP2 and IE 6.
Secunia, which tagged the flaw moderately critical, noted that,
“the vulnerability is caused due to an error in the DHTML Edit
ActiveX control when handling the execScript() function in certain
situations.” The so-called, “MSIE DHTML Edit Control Cross Site Scripting
Vulnerability” could allow an attacker to execute a cross-site scripting
attack. It is possible to steal cookie-based authentication credentials
through this vulnerability.
The discussion of the exploit by the Greyhat security researcher
describes the process of how he discovered the vulnerability and then went
about exploiting it. Paul explained that after looking at a popup block
killer posted by a fellow security researcher he became interested in the
DHTML edit control.
Paul noted that he didn’t know the exact specifics of the control but
was able through testing to find the vulnerability.
“SP2 puts extremely heavy security on the javascript: and vbscript:
protocols, apparently rendering them useless for hacking attempts,” Paul
wrote. “However, there are still plenty of ways to make a target run
script.”
Secunia recommends users disable ActiveX support by setting their “Internet”
zone security level to “High.” They also note that XP SP2 users can
disable the exploitable ActiveX Control via the Tools/Manage Add-Ons
option.