More IE Vulnerabilities

Researchers have noted three vulnerabilities that could expose
Microsoft Internet Explorer (IE) users to the risk
of potential attack from malicious users.

Late Tuesday, German Security Researcher Benjamin Tobias Franz
reported a URL spoofing
bug with iframes in IE. When exploited, the bug permits a faked
target address to be shown in the status bar window.

“Successful exploitation allows a malicious Web site to obfuscate URLs in the status bar,
even when JavaScript support has been disabled,” according to a note on the BugTraq site.

Security researcher Gilbert Verdian
the same bug in Apple’s Safari Web browser running on OS X.

A Microsoft spokesperson told that the company had not been made aware of any active
exploits of the reported vulnerabilities or customer impact at this time, but that it is aggressively
investigating the public reports.

“Upon completion of this investigation, Microsoft will take the appropriate action to protect
our customers, which may include providing a fix through our monthly release process or an
out-of-cycle security update, depending on customer needs,” the spokesperson said.

Security firm Secunia is also reporting the “extremely critical”
Internet Explorer IFRAME Buffer Overflow Vulnerability.
A working exploit is out in the wild already and can potentially
lead to execution of arbitrary code on a user’s PC.

“The vulnerability is caused due to a boundary error in the handling of certain attributes
in the IFRAME HTML tag,” Secunia’s advisory states. “This can be exploited to cause a
buffer overflow via a malicious HTML document containing overly long strings in the “SRC”
and “NAME” attributes of the IFRAME tag.”

As with the URL spoofing issue, Windows XP SP2 users are not at risk. However, users running
XP without XP2 or using running a non-XP Windows OS (like Windows 2000) are at risk.

XP SP2 users however are still not out of the woods. A new variant of the
drag and drop vulnerability
was reported by Iranian security researcher Roozbeh Afrasiabi.

This time the vulnerability
has been used to bypass local zone security restrictions in order to expose cross-zone and
cross-domain scripting vulnerabilities.

“A security site/zone restriction error, where an embedded HTML Help control on, e.g. a
malicious Web site, references a specially crafted index (.hhk) file,
can execute local HTML documents or inject arbitrary script code in context of a previous
loaded document using a malicious JavaScript URI handler,” according to the Secunia advisory.

Microsoft’s spokesperson downplayed any potential impact from this particular report, noting
that the company has received no customer reports of impact at this time.

“An attacker would need to first entice the user to visit a specific Web site and then
entice the user take a series of specific actions on the Web site, then reboot or log off
before the attack could succeed without user action,” the spokesperson explained.

The spokesperson also noted that customers who have applied the latest Internet
Explorer update, MS04-038, can set the “Drag and Drop or copy and paste files” option
in the Internet and intranet zone to “Disable” or “Prompt.” Once this setting is changed,
the attack described in the report will not succeed.

“With both of these issues, we continue to encourage customers to follow our
Protect Your PC guidance
of enabling a firewall, getting software updates and installing anti-virus
software,” Microsoft’s spokesperson said.

News Around the Web