J-Security Center

Title: Microsoft IE Same Origin Policy Violation Vulnerability

Severity: CRITICAL

Description:

There exists a vulnerability in Microsoft Internet Explorer that can allow for a violation of the same origin policy.

In modern browsers, script code executing in the context of one website should not be able to access the properties of another. This is a security feature known as the 'same origin policy', and it is put in place to prevent malicious websites from interacting with and possibly stealing sensitive information from others in different windows.

When one website ('parent') opens another website in a new window ('child') using the document.Open() method in vulnerable versions of MSIE, it is possible for script code in the parent to interact with properties of the child.

This violation of the 'same origin policy' is a severe security vulnerability. There are many ways that an attacker could exploit this vulnerability.

Attackers can construct websites that, for example:

- Steal cookies associated with arbitrary websites.
- Perform actions on different websites through script code (for example, may be possible to delete mail on a webmail system).
- Transmit the contents of local files (parseable as type text/html) to attacker-controlled webservers.
- Write to windows containing different websites, effectively 'spoofing' the content. This is probably the most serious consequence, as trusted websites can be replaced with entirely attacker-created HTML.
- Access other objects through MSIE, such as MSN contacts.

This has been confirmed in Microsoft IE 5.5 and 6.0, running on Windows Me and Win2K Professional respectively. Given the serious nature of this flaw, users are highly advised to disable scripting in MSIE or use another browser until fixes are installed. It is likely that this can be exploited through HTML e-mail in clients that use the MSIE rendering component.

** UPDATE ** : There have been reports of a worm-like exploit for this vulnerability in the wild. The exploit is triggered by a malicious webpage. When a victim visits the site, this vulnerability is allegedly exploited to send messages to all users in the victim's MSN contact list. This exploit may also be harvesting the email addresses of the contacts.

The messages sent to users contain links to the malicious site. It is through these messages that users are being exploited (it could be said that the exploit is 'propagating' itself, however it is believed that the victim must click on the link and visit the site with Explorer. Exploitation through HTML mail may also be possible). To avoid exploitation, do not click on any links in a message similar to this:

'"Go To http://www.masenko-media.net/cool.html NoW !!!"'

A safe practice is to not click on links in instant messages at all. The link listed previously at the time of this update did not contain the exploit. This does not mean that it cannot appear elsewhere. Users are advised to be cautious while using MSN and visiting unknown websites.

Affected Products:

  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5 SP1
  • Microsoft Internet Explorer 5.5 SP2
  • Microsoft Internet Explorer 6.0
  • Microsoft Windows ME
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows XP Home
  • Microsoft Windows XP Professional

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.