Microsoft Internet Explorer (IE) does not adequately validate the security context of a frame that has been redirected by a web server. An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.
The Cross-Domain Security Model
IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Local Machine Zone is "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust." The determination of what zone and/or domain a URL exists in and what actions can be performed in that zone is made by the Internet Security Manager Object.
HTTP/1.1 302 Object moved
Note that this vulnerability does not rely on the use of ITS protocol handlers or CHM files. The Location field can be set to any local HTML resource.
By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.
There are a number of significant vulnerabilities in technologies related to the IE domain/zone security model, trust in and access to the local file system (Local Machine Zone), the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented as operating system components that are used by IE and many other programs to provide web browser functionality. These components are integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.
Public incidents related to this vulnerability were reported by Rafel Ivgi. Thanks to Jelmer for further research and analysis.
This document was written by Art Manion.
|Date First Published:||2004-06-09|
|Date Last Updated:||2012-07-23 21:02 UTC|