A vulnerability in the way Microsoft Internet Explorer (IE) handles window ornament parameters in dialog frames allows script from a dialog frame in one domain to execute in a different domain, including the Local Machine Zone. The script could read certain local files and data (i.e. cookies) from other web sites. In the presence of other vulnerabilities (VU#626395, VU#25249), the script could execute arbitrary commands.
Microsoft Internet Explorer provides two methods (showModalDialog and showModelessDialog) that can be used to display dialog box frames. Both methods require a URI parameter that specifies the source of the dialog frame's content. The methods may optionally specify "windows ornaments" that control different aspects of the dialog frame's appearance (position, dimensions, font settings, etc.).
A dialog frame is subject to the security restrictions of the DHTML Object Model: script executing in one frame cannot access data in a frame from a different domain or across a different protocol. The dialog methods may specify source URIs in a different domain than the parent frame, however the security restrictions should prevent script in one frame from accessing data in the other.
An attacker who is able to convince a user to access a specially crafted HTML document, such as an Internet web page or HTML email message, could read data from a different domain, including the Local Machine Zone. The attacker could read cookies from other web sites and certain types of local files. The attacker's HTML document would need to reside in a zone in which Active scripting was enabled.
Restrict HTML Help commands
Restrict the execution of the Shortcut and WinHelp HTML Help commands to specified folders, or disable the commands entirely. As in the previous recommendation, this technique will protect against arbitrary command execution via HTML Help. Details are available in Microsoft Knowledge Base Article 810687.
This vulnerability was publicly reported by Liu Die Yu.
|Date First Published:||2003-05-05|
|Date Last Updated:||2003-05-06 20:24 UTC|