Vulnerability Note VU#713878
Microsoft Internet Explorer does not properly validate source of redirected frame
Microsoft Internet Explorer (IE) does not adequately validate the security context of a frame that has been redirected by a web server. An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.
The Cross-Domain Security Model
IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Local Machine Zone is "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust." The determination of what zone and/or domain a URL exists in and what actions can be performed in that zone is made by the Internet Security Manager Object.
HTTP/1.1 302 Object moved
Note that this vulnerability does not rely on the use of ITS protocol handlers or CHM files. The Location field can be set to any local HTML resource.
By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.
There are a number of significant vulnerabilities in technologies related to the IE domain/zone security model, trust in and access to the local file system (Local Machine Zone), the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented as operating system components that are used by IE and many other programs to provide web browser functionality. These components are integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||10 Jun 2004||13 Oct 2004|
CVSS Metrics (Learn More)
Public incidents related to this vulnerability were reported by Rafel Ivgi. Thanks to Jelmer for further research and analysis.
This document was written by Art Manion.
- CVE IDs: CVE-2004-0549
- Date Public: 03 Jun 2004
- Date First Published: 09 Jun 2004
- Date Last Updated: 23 Jul 2012
- Severity Metric: 64.80
- Document Revision: 85
If you have feedback, comments, or additional information about this vulnerability, please send us email.