ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Exploit code released for unpatched IE 7 vulnerability

By | June 30, 2008, 11:59am PDT

Another day, another gaping hole affecting fully patched versions of Microsoft’s Internet Explorer browser.

According to a warning from US-CERT, proof-of-concept exploit code has been published for a new zero-day bug that can be used for a variety of malicious attacks against Windows users running IE 6, IE 7, and IE 8 beta 1.

The code, published here by ’sirdarckat’,  shows how the vulnerability can be exploited to hijack an iFrame in a legitimate site and capture a target’s keystrokes. This occurs because  Internet Explorer fails to properly restrict access to a document’s frames, allowing an attacker to modify the contents of frames in a different domain.

[ SEE: Zero-day flaw haunts Internet Explorer ]

This screenshot (of a proof-of-concept created by researcher Aviv Raff) shows the Google home page in a frame hijacked from Microsoft’s Windows Update site.  The security implications are rather frightening:
IE frame location vulnerability

Can you imagine if someone spoofs this page with their own rigged Microsoft Update download page?

From the US-CERT advisory:

Microsoft Internet Explorer fails to properly restrict access to a document’s frames. This can allow an attacker to replace the contents of a web page’s frame with arbitrary content. Internet Explorer still appears to enforce the cross-domain security model, which limits the actions that a malicious frame can take with the parent document. For example, a frame that exists in a different domain should not be able to access the parent document’s cookies or HTML content, or other domain-specific DOM components. However, components that are not tied to a specific domain, such as the onmousedown event. By monitoring this particular event, an IFRAME can capture keystrokes from the parent document. Other actions may be possible.

…By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker may be able to access non-domain-specific elements from a web page that exists in a different domain. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page in a different domain.

[ ALSO SEE: Internet Explorer ‘feature’ causing drive-by malware attacks ]

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Attacker, Vulnerability, Microsoft Internet Explorer 7, Domain, Exploit Code, Microsoft Internet Explorer, Web Browsers, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
16
Comments
Add Your Opinion

Join the conversation!

Just In

Yes, but if you continued a previous session
dunn@... 9th Jul 2008
that had inserted the iframe then just changing the URL to another site is not going to ensure that the IFrame is not still present.
View in thread
0 Votes
+ -
Your picture looks like Google hacked Microsoft
BALTHOR 30th Jun 2008
Google pages enter unannounced.
0 Votes
+ -
Can this happen if another window isn't open?
Narr vi 30th Jun 2008
or a tab?

There has to be somebody looking at the doc model, right?

So if one uses IE one window, one website at a time, is this safe?

I think your article isn't complete until it answers the question of what is _safe_ to do. Otherwise, it is scare tactics -- unless there is no safety.

I and surely others would like to know. And wondering what web browser has any possibility to work with one's banks.

N.
0 Votes
+ -
Yes, via a hidden IFrame...
dunn@... 1st Jul 2008
You don't have to see another window open for an IFrame attack to occur and in most cases the author does not want you to see that another Frame has been opened so they hide it. None the less that IFrame is usually pointed at a server of the malware author's choice to further download malware onto your PC.
0 Votes
+ -
good point, but
Narr vi 1st Jul 2008
this would imply there had been a successful 'intervention' on the target website, right? SQL injection, etc..

It's still not clear to me that there can be the attack if the primary website, the bank for example, has not been altered. Please say if you think there can.

If the bank itself has been hit, all safe bets are off, including this one clearly having its chance to play.

Do you think this is seeing clearly?

Thanks,
Narr vi
0 Votes
+ -
Yes, but if you continued a previous session
dunn@... 9th Jul 2008
that had inserted the iframe then just changing the URL to another site is not going to ensure that the IFrame is not still present.
0 Votes
+ -
"unpatched"? this is obvious, because it's a new flaw
qmlscycrajg 1st Jul 2008
unpatched? this is obvious, because it's a new flaw
0 Votes
+ -
Newly Discovered
balaknair 1st Jul 2008
Just like the Firefox3 vulnerability which also affects FF2. This one affects IE6 and IE8 as well as IE7. It's been around for a while, it's been found just now.
0 Votes
+ -
RE: Exploit code released for unpatched IE 7 vulnerability
mrlinux 1st Jul 2008
Does this affect Vista ????
0 Votes
+ -
Yes
forrestgump2000@... 1st Jul 2008
Vista is affected.
0 Votes
+ -
So protected mode does not even help ???
mrlinux 1st Jul 2008
NT
0 Votes
+ -
RE: Exploit code released for unpatched IE 7 vulnerability
ator1940 1st Jul 2008
Just another example of Redmond's innovation.
0 Votes
+ -
We can only HOPE that MS takes this seriously
dunn@... 1st Jul 2008
But if past history is any indicator they will probably wait until August's patch tuesday if even then.
0 Votes
+ -
RE: Exploit code released for unpatched IE 7 vulnerability
Earthling2 2nd Jul 2008
Secunia marks this as moderately critical. Has the author analyzed the nature of the hack? It looks like the initial step is to convince the user to open a weird URL.

So this only means that if you want to go to your bank, you should type the URL directly (or use a shortcut). After that, do not trust sites that do not use https for the logon page or the ones that load a mixture of secure and secure-not URLs.

Right?
0 Votes
+ -
Typing URL directly or using shortcut...
dudge669 2nd Jul 2008
Yes, it's always best to use known shortcuts or type URLs directly when going to a bank site but with this exploit, you're not even guaranteed to be safe if the malicious site was visited at some point BEFORE you went to your banking website. Even if you don't see any Internet Explorer windows open on your computer, there could be a hidden window left over from a previous browsing session. Check the processes tab of your task manager to make sure there are no left over iexplore.exe processes still running before opening a window to do your banking. At least until this is patched...
0 Votes
+ -
good point also, and too bad Ryan too lazy to reply on it
Narr vi 2nd Jul 2008
and much as I was getting at above.

I always use bookmarks to go to financial sites - and even on Firefox, look up any site name by Google of its company if not absolute sure of the url.

Yet because IE has the hanging-process bug, sure enough there is a way to have malware primed and ready from a previously visited hacked site.

For myself, time to experiment again and find out how many of serious sites I visit can now be run from Firefox with NoScript.

Regards,
Narr vi
0 Votes
+ -
Always Always close the bowser before...
dunn@... 9th Jul 2008
Going to your Financial Institution and even then go to task manager and ensure that there are no "iexplore.exe" processes running say from having Outlook open.

I have my home page set to "about:Blank" and always close IE after ANY financial transaction and also ensure that is the only session as in you don't have another tab open.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix