Vulnerability Note VU#883108
Microsoft Internet Explorer HTML Document object cross-domain vulnerability
Overview
Microsoft Internet Explorer contains a cross-domain vulnerability in how it handles redirected object data. This could allow an attacker to access the content of a web page in a different domain.
Description
The Cross-Domain Security Model IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Internet Security Manager Object determines which zone or domain a URL exists in and what actions can be performed. From Microsoft Security Bulletin MS03-048:
The HTML Document object provides the core HTML rendering functionality of the Internet Explorer web browser. This object is provided by the file mshtml.dll. A web page can make use of the HTML Document object as an ActiveX control by using the <OBJECT> tag. The problem The HTML Document object fails to enforce the cross-domain security model when it encounters an HTTP redirect to a site that uses an HTTP Cache-Control header of "private." |
Impact
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker may be able to obtain access to web content in another domain. The impact is similar to that of a cross-site scripting vulnerability. For a more detailed description of the impact of cross-site scripting vulnerabilities, please see CERT Advisory CA-2000-02. |
Solution
Apply an update |
|
Systems Affected (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Microsoft Corporation | Affected | 28 Jun 2006 | 08 Aug 2006 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | N/A | N/A |
Temporal | N/A | N/A |
Environmental | N/A | N/A |
References
- http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx
- http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer
- http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj
- http://secunia.com/advisories/20825/
- http://isc.sans.org/diary.php?storyid=1448&rss
- http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3
Credit
This vulnerability was publicly disclosed by Plebo Aesdi Nael.
This document was written by Will Dormann.
Other Information
- CVE IDs: CVE-2006-3280
- Date Public: 27 Jun 2006
- Date First Published: 28 Jun 2006
- Date Last Updated: 08 Aug 2006
- Severity Metric: 11.34
- Document Revision: 12
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.