Exploit code released for unpatched IE 7 vulnerability

Exploit code released for unpatched IE 7 vulnerability

Summary: Another day, another gaping hole affecting fully patched versions of Microsoft's Internet Explorer browser.According to a warning from US-CERT, proof-of-concept exploit code has been published for a new zero-day bug that can be used for a variety of malicious attacks against Windows users running IE 6, IE 7, and IE 8 beta 1.

SHARE:
16

Another day, another gaping hole affecting fully patched versions of Microsoft's Internet Explorer browser.

According to a warning from US-CERT, proof-of-concept exploit code has been published for a new zero-day bug that can be used for a variety of malicious attacks against Windows users running IE 6, IE 7, and IE 8 beta 1.

The code, published here by 'sirdarckat',  shows how the vulnerability can be exploited to hijack an iFrame in a legitimate site and capture a target's keystrokes. This occurs because  Internet Explorer fails to properly restrict access to a document's frames, allowing an attacker to modify the contents of frames in a different domain.

[ SEE: Zero-day flaw haunts Internet Explorer ]

This screenshot (of a proof-of-concept created by researcher Aviv Raff) shows the Google home page in a frame hijacked from Microsoft's Windows Update site.  The security implications are rather frightening: IE frame location vulnerability

Can you imagine if someone spoofs this page with their own rigged Microsoft Update download page?

From the US-CERT advisory:

Microsoft Internet Explorer fails to properly restrict access to a document's frames. This can allow an attacker to replace the contents of a web page's frame with arbitrary content. Internet Explorer still appears to enforce the cross-domain security model, which limits the actions that a malicious frame can take with the parent document. For example, a frame that exists in a different domain should not be able to access the parent document's cookies or HTML content, or other domain-specific DOM components. However, components that are not tied to a specific domain, such as the onmousedown event. By monitoring this particular event, an IFRAME can capture keystrokes from the parent document. Other actions may be possible.

...By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker may be able to access non-domain-specific elements from a web page that exists in a different domain. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page in a different domain.

[ ALSO SEE: Internet Explorer ‘feature’ causing drive-by malware attacks ]

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • Your picture looks like Google hacked Microsoft

    Google pages enter unannounced.
    anonymous
  • Can this happen if another window isn't open?

    or a tab?

    There has to be somebody looking at the doc model, right?

    So if one uses IE one window, one website at a time, is this safe?

    I think your article isn't complete until it answers the question of what is _safe_ to do. Otherwise, it is scare tactics -- unless there is no safety.

    I and surely others would like to know. And wondering what web browser has any possibility to work with one's banks.

    N.
    Narr vi
    • Yes, via a hidden IFrame...

      You don't have to see another window open for an IFrame attack to occur and in most cases the author does not want you to see that another Frame has been opened so they hide it. None the less that IFrame is usually pointed at a server of the malware author's choice to further download malware onto your PC.
      dunn@...
      • good point, but

        this would imply there had been a successful 'intervention' on the target website, right? SQL injection, etc..

        It's still not clear to me that there can be the attack if the primary website, the bank for example, has not been altered. Please say if you think there can.

        If the bank itself has been hit, all safe bets are off, including this one clearly having its chance to play.

        Do you think this is seeing clearly?

        Thanks,
        Narr vi
        Narr vi
        • Yes, but if you continued a previous session

          that had inserted the iframe then just changing the URL to another site is not going to ensure that the IFrame is not still present.
          dunn@...
  • "unpatched"? this is obvious, because it's a new flaw

    unpatched? this is obvious, because it's a new flaw
    qmlscycrajg
    • Newly Discovered

      Just like the Firefox3 vulnerability which also affects FF2. This one affects IE6 and IE8 as well as IE7. It's been around for a while, it's been found just now.
      balaknair
  • RE: Exploit code released for unpatched IE 7 vulnerability

    Does this affect Vista ????
    mrlinux
    • Yes

      Vista is affected.
      forrestgump2000@...
      • So protected mode does not even help ???

        NT
        mrlinux
  • RE: Exploit code released for unpatched IE 7 vulnerability

    Just another example of Redmond's innovation.
    ator1940
  • We can only HOPE that MS takes this seriously

    But if past history is any indicator they will probably wait until August's patch tuesday if even then.
    dunn@...
  • RE: Exploit code released for unpatched IE 7 vulnerability

    Secunia marks this as moderately critical. Has the author analyzed the nature of the hack? It looks like the initial step is to convince the user to open a weird URL.

    So this only means that if you want to go to your bank, you should type the URL directly (or use a shortcut). After that, do not trust sites that do not use https for the logon page or the ones that load a mixture of secure and secure-not URLs.

    Right?
    Earthling2
    • Typing URL directly or using shortcut...

      Yes, it's always best to use known shortcuts or type URLs directly when going to a bank site but with this exploit, you're not even guaranteed to be safe if the malicious site was visited at some point BEFORE you went to your banking website. Even if you don't see any Internet Explorer windows open on your computer, there could be a hidden window left over from a previous browsing session. Check the processes tab of your task manager to make sure there are no left over iexplore.exe processes still running before opening a window to do your banking. At least until this is patched...
      dudge669
      • good point also, and too bad Ryan too lazy to reply on it

        and much as I was getting at above.

        I always use bookmarks to go to financial sites - and even on Firefox, look up any site name by Google of its company if not absolute sure of the url.

        Yet because IE has the hanging-process bug, sure enough there is a way to have malware primed and ready from a previously visited hacked site.

        For myself, time to experiment again and find out how many of serious sites I visit can now be run from Firefox with NoScript.

        Regards,
        Narr vi
        Narr vi
      • Always Always close the bowser before...

        Going to your Financial Institution and even then go to task manager and ensure that there are no "iexplore.exe" processes running say from having Outlook open.

        I have my home page set to "about:Blank" and always close IE after ANY financial transaction and also ensure that is the only session as in you don't have another tab open.
        dunn@...