Microsoft Internet Explorer (IE) fails to properly validate redirected functions. The impact is similar to that of a cross-site scripting vulnerability, which allows an attacker to access data in other sites, including the Local Machine Zone.
IE is vulnerable to a cross-domain violation that involves redirected or cached functions. Rather than calling a script function directly, it is possible for one object to cache a reference to a function that resides in a different object, such as an IFRAME or a popup window. When the domain of the parent object (containing the cached reference) changes, IE incorrectly determines the source of the function based on the new domain of the cached reference. The function, contained in the object in the original domain, is executed in the context of the parent object (containing the cached reference), in the new domain. Because the object that invokes the script may be in a different domain than the object in which the script executes, the cross-domain security model is violated.
By convincing a user to follow a URL or read an HTML email message containing malicious script, an attacker could take any action with the privileges of the user executing the script. This could include opening new browser windows to different sites in different security zones, reading or modifying information in open browser windows, reading files on the local file system, and executing commands that are in a location known to the attacker. By leveraging capabilities provided by technologies such as ActiveX controls and the HTML Help system, an attacker could execute arbitrary code.
Apply a patch
This vulnerability was reported by Paul from GreyHats Security Group
This document was written by Will Dormann and Art Manion.
|Date First Published:||2004-10-19|
|Date Last Updated:||2007-08-29 19:39 UTC|