search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Internet Explorer window.createPopup() method creates chromeless windows

Vulnerability Note VU#490708

Original Release Date: 2004-09-10 | Last Revised: 2004-10-27

Overview

The Internet Explorer (IE) window.createPopup() method creates chromeless popup windows. These windows can be used to spoof the user interface in Internet Explorer, any Windows application, or the Windows desktop.

Description

The visible area of a web browser window can be categorized into two areas: content and chrome. The content area is where the web browser renders HTML and other data. The chrome area surrounds the content area and includes the status bar, address bar, tool bar, and menu area. In most cases, the entire browser window (chrome and content) is enclosed with "window management decorations" - title, frame, and minimize, maximize, resize, and close controls.

The IE Dynamic HTML (DHTML) model supports a proprietary method to create chromeless popup windows. This method, window.createPopup(), creates browser windows with the following characteristics:

A window created by window.CreatePopup() has the following characteristics:

    • It contains no chrome
    • It has no window manager decoration
    • It appears on top of all other windows
    • It can be placed anywhere on the screen
    • It does not appear in the Windows taskbar
    • It cannot be focused
    • It is closed when the user clicks outside of the window
Chromeless windows can appear anywhere on the screen. Any part of the Windows graphical user interface (GUI) can be covered by chromeless windows, including the IE address bar, IE scroll bar, IE HTTPS padlock icon, Start menu, system tray, other Windows applications, or the entire visible screen. When a refresh loop is used, chromeless windows can remain visible even when the user clicks outside of the window.

Impact

By convincing the user to view an HTML document (e.g., web page, email message) an attacker can deceive the user by changing the appearance of the GUI. Because of their unique characteristics, chromeless windows can be used to facilitate phishing attacks. For example, an attacker can create a fake address bar and HTTPS padlock icon to spoof a secure website.
More importantly, chromeless windows can be used in combination with other vulnerabilities to copy arbitrary files to the user's machine. IE treats arbitrary files as images with respect to drag and drop operations (VU#526089), allows windows to be manipulated by mouse events (VU#413886), and allows remote web sites to open windows or frames that interact with the local filesystem. By convincing the user to perform drag and drop actions such as clicking an image, selecting text, or dragging the scrollbar, an attacker can copy malicious code to the target machine.

Solution

Install Windows XP Service Pack 2 (SP2)

Microsoft Windows XP SP2 significantly improves your computer's defenses against attacks and vulnerabilities. SP2 places constraints on popup windows created by window.createPopup(), limiting the ability to spoof the IE and Windows GUI. The constraints are:

    • A popup window must appear between the top and bottom of its parent window's chrome, so it does not overlap the Internet Explorer address bar, title bar, status bar, or toolbars.
    • Horizontally, a popup window must always overlap some area of its parent window.
    • A popup window must stay immediately on top of its parent, so it cannot be placed over other windows.
These enhancements prevent a large number of spoofing attacks with IE.

Disable Active scripting and ActiveX controls

Disabling Active scripting prevents attackers from creating chromeless windows using window.Createpopup(). Disabling ActiveX controls prevents IE from making images transparent, which is a component of publicly available exploit code.

At a minimum, disable Active scripting and ActiveX controls in the Internet zone and the zone used by Outlook, Outlook Express, or any other software that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML). Instructions for disabling Active scripting and ActiveX controls can be found in the Malicious Web Scripts FAQ.

Apply the Outlook Email Security Update

Another way to effectively disable Active scripting and ActiveX controls in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting and ActiveX controls are disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.

Render email in plain text

Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly, however script will not be evaluated, thus preventing certain types of attacks.

Maintain updated antivirus software

Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability.

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, the graphical user interface (GUI), and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).

Vendor Information

490708
 
Expand all

Microsoft Corporation Affected

Notified:  September 09, 2004 Updated: September 10, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND)
Environmental 0 CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)

References

Acknowledgements

Thanks to Georgi Guninski and Andrew Clover for reporting this vulnerability.

This document was written by Will Dormann and Art Manion.

Other Information

CVE IDs: CVE-2001-1410
Severity Metric: 31.92
Date Public: 2001-10-21
Date First Published: 2004-09-10
Date Last Updated: 2004-10-27 21:31 UTC
Document Revision: 65

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis