Gaping holes exposed in fully-patched IE 7, Firefox

Gaping holes exposed in fully-patched IE 7, Firefox

Summary: Polish hacker Michal Zalewski's has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE 6, IE 7 and Firefox 2.0.

SHARE:
TOPICS: Browser, Microsoft
106

Polish hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE 6, IE 7 and Firefox 2.0. Internet Explorer

Zalewski, a well-respected security researcher, published demos of four different browser vulnerabilities on the Full Disclosure mailing list, warning of unpatched cookie stealing, page hijacking, memory corruption and URL bar spoofing bugs.

The most serious of the four -- a page update race condition affecting Microsoft's IE 6 and IE 7 -- is rated "critical." Zalewski explains with an online demo of an exploit:

In short, when Javascript code instructs MSIE to navigate away from a page that meets same-domain origin policy (and hence can be scriptually accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed Javascript to perform actions with the permissions for the old page, but actual content for the newly loaded page, for example: read or set victim.document.cookie, arbitrarily alter document DOM, including changing form submission URLs, injecting code, or even crashing the browser due to memory corruption while reading and writing not fully initialized data structures.

"In other words, the entire security model of the browser collapses like a house of cards and renders you vulnerable to a plethora of nasty attacks," Zalewski warns, noting that local system compromise is also possible.

Zalewski also dropped details of a "major" Firefox cross-site IFRAME hijacking bug that could allow malicious code execution, keystroke interception and content spoofing attacks. Click here for an online demo and technical details.Firefox

Mozilla developers are tracking the issue, which is a variant of a bug that has haunted Firefox since 2006.

Demos of two other medium-risk flaws affecting IE and Firefox were also released.

One is a Firefox prompt-delay bypass issue (demo here) that allows non-consensual download of execution of files.

A sequence of blur/focus operations can be used to bypass delay timers implemented on certain Firefox confirmation dialogs, possibly enabling the attacker to download or run files without user's knowledge or consent.

The other is a URL bar spoofing flaw that affects IE 6 (demo here). It could allow an attacker to mimic an an arbitrary site, possibly including SSL data. Internet Explorer 7 is not affected by this bug because of certain high-level changes in the browser, Zalewski said.

[UPDATE: June 4, 2007 @ 1:50 PM]  Microsoft is looking into Zalewski's warning.  A statement from an MSRC spokesman:

Microsoft is investigating new public claims of two possible vulnerabilities in Internet Explorer. Microsoft is not aware of any attacks attempting to use the possible vulnerabilities or of customer impact at this time.  Microsoft will continue to investigate the claims to help provide additional guidance for customers as necessary.

Topics: Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

106 comments
Log in or register to join the discussion
  • Most serious is IE when Mozilla has the arbitrary code execution bug?

    Let's see, IE bug says nothing about arbitrary code execution. Mozilla but allows arbitrary code execution. Yet the IE bug is the most serious? Something does not compute.
    georgeou
    • At a guess

      I'd say the bit you missed was, [i]"the entire security model of the browser collapses like a house of cards"[/i]. He was at that point apparently talking about IE. Given that, that's probably why he rated IE's issues higher than Mozilla's.
      zkiwi
      • House of cards indeed.

        The "security zones" model is already a house of cards. This kind of attack has been the most common vector for virus and worm infestation since 1997.
        Resuna
    • Message has been deleted.

      Intellihence
      • Message has been deleted.

        lamp299
    • Both are very serious

      George,

      The MSIE bug was rated "critical" by this respected individual, but that does not mean he feels that the FF bugs were/are insignificant. Both browsers definitely have holes, and as far as I can tell, both of these browsers' vulnerabilities are very serious.

      If the MSIE bug is called "very, very serious" and the FF bug is called "very serious," is that really a slap in the face of Microsoft or a pat on the back to Mozilla? No. Is it possible that the researcher is biased against MSIE? Maybe. However, the fact that he hacks both browsers and reports bugs on both suggests that any bias he might have does not cloud his professional opinion. I can see no real evidence of him trying to make MSIE sound so much worse than FF. Essentially the report says, "MSIE and FF both have major bugs, and the MSIE bug is slightly more critical." The real question to ask is [i]why[/i] the MSIE bug is slightly more critical in his opinion. It might simply be a case of MSIE having such a comparatively large installed user base. Or perhaps he feels that MS has a less-than-stellar record of addressing bugs. I can't speak for the author, but I'd definitely listen to what he has to say if you asked him the question. This could possibly be a topic for another blog?

      -MC
      Mercutio_Viz
    • Execution holes and more...

      The problem is that the Microsoft HTML control's security model is based on zones. If it's rendering a page in a trusted zone than any script on that page has full local user rights. So... if you can inject a script into arbitrary zone then you're basically home free.

      This is serious because the API that applications like IE use to call the HTML control is very fragile. Fixing any security hole involving zones is very very hard, because there's generally a dozen related holes that any precise fix will leave open, and closing them all will either break working code or require Microsoft to punt the decision to the user (and we've seen how well that works).
      Resuna
      • Vista is safe... once again

        [i]If it's rendering a page in a trusted zone than any script on that page has full local user rights. So... if you can inject a script into arbitrary zone then you're basically home free.[/i]

        You make this sound like a trivial endeavor, much like "If I can fool someone into running my trojan with administrator rights, then I'll own their machine and prove that Windows sucks."

        Try opening a trusted zone URL from an IE7 window that was displaying untrusted content and Vista will display a popup saying:

        [i]Internet Explorer needs to open a new window to display this webpage.

        For your computer's security, websites that are in different security zones must open in different windows.[/i]

        Why? Protected mode is the answer. Untrusted websites run with even fewer privileges than the current user. While other browsers will quite happily allow any exploit to delete all of a user's files, IE7 on Vista keeps your user files (unarguably the [b]most[/b] precious files on a home computer) safe.

        What's the end result? The zealots gloat because yes, IE7 may be vulnerable to exploits. What doesn't get factored into the exploit count is what the exploits are actually able to do. I don't care if there are 999,999,999,999 working, in the wild exploits for IE7 on Vista if not even one of them can harm a single bit on my computer.
        NonZealot
        • So...

          I guess you think you are smarter than this guy who rates it as critical, and I quote him regarding IE where he generalizes thus... [i]"the entire security model of the browser collapses like a house of cards."[/i]
          zkiwi
          • No, but I'm smarter than you

            [i]the entire security model of the browser collapses like a house of cards.[/i]

            I will give him the benefit of the doubt and assume that when he said "security model of the [b]browser[/b]", he meant "security model of the [b]browser[/b]". The security model of Vista (which is what I referred to in my post) is still intact and there to catch any exploits that make it past "the security model of the [b]browser[/b]". The security model of the [b]browser[/b] is the whole zone concept. The security model of the OS is the whole ACL concept. The two are totally different. Wow, I'm amazed I have to spell some of these things out. OTOH, considering the audience, perhaps it really isn't all that amazing.

            Even if we aren't willing to give him the benefit of the doubt, since he included IE6 in his vulnerability link, perhaps he was referring only to XP. I quite clearly stated that IE7 [b]on Vista[/b] was not vulnerable... and it isn't.

            In the end, unless anyone can prove to me that these vulnerabilities are able to get past IE7's default Protected Mode, I really don't care how smart you think he is or how dumb you think I am. Until proven otherwise, he could be smart but still be wrong and I could be dumb but still be right. You will still be dumb and wrong. :)
            NonZealot
          • PoC works on Vista.

            I just tried the example exploit and it concluded my Vista system is vulnerable. However to what extent is unknown. The PoC is limited to just displaying the contents of a cookie (google.pl) and tells us little, if anythign, about the security of Windows. All it tells us is that a script can read the contents of a cookie.
            ye
          • Just tried it and Vista is safe

            There is certainly a vulnerability in IE7 on Vista and I'm not denying that. What has not been proven is whether or not Protected Mode will prevent that vulnerability from doing anything nasty to your local system. I just tested it and the answer in this case appears to be yes, it will protect the local system and it has to do with the very proactive default security settings in IE7.

            Add http://www.google.pl to your trusted site zone (by default, Protected Mode is turned off for trusted sites) and rerun the test. Immediately you will notice that the "exploit" page opens in one window and the google page opens in another. The exploit page is running inside Protected Mode, the Google page is not. The danger here is: can the untrusted "exploit" page run javascript on the trusted Google page? When I tested it, the answer was no. This shows that while the vulnerability can be used cross domain, it [b]cannot[/b] be used to bypass Protected Mode. If the exploit tries to do its thing on a trusted site, it fails.

            There is potential for arbitrary code execution (though no PoC so this is nothing more than a maybe) but the code would run with extremely limited rights, even fewer rights than the current user. End result? You hate to see an exploit but at least this one cannot affect your local computer. No OS can be written to eliminate all bugs in all programs. Once again though, Vista has proactively protected me from a future exploit without any anti-virus or patch.

            Finally, we'll just ignore the fact that this exploit relies on a race condition that took about 50 page refreshes to occur. This one is hardly likely to slip under the radar. :)
            NonZealot
          • PoC doesn't tell us a whole lot.

            The explaination given doesn't help me to understand the nature of the vulnerability/exploit so it's almost useless in helping me determine the impact of the vulnerability. From what I can tell the only flaw demonstrated by this exploit is allowing "website" A the ability to read a cookie for "website" B. This could allow a malicious web operator the ability to read sensitive information. Then there's the question of: How likely is a trusted web page to link to a malicious web page. Trusting a website is something the user has to specifically do. And there's a reason why they're called "trusted". Not much can be done if a user trusted website is untrust worthy.

            But again I'm not fully understanding the vulnerability with the little bit of information given. Perhaps I'm way off base so take what I've written with a grain of salt. Corrections welcome.
            ye
          • Oh?

            Dumb and wrong, that'd be you. Keep on claiming you're right in spite of evidence, and denying it exists. It only makes used bricks look like they could debate you successfully.
            zkiwi
          • The problem

            The problem is not the OS but how M$ has built IE7 into Vista, straight into the registry, integrated straight into the kernel in real time mode, it's a disaster waiting to happen.
            qvtech
          • We've heard this song before. It was invalid then and...

            ...it's invalid now.
            ye
          • So I've got to go out and get Vista...

            ....to be secure with IE7?

            OTOH, I use XP, which still has a much larger user base, and I'm insecure with IE7.

            The hacker does not mention OSs because as far as thwe bugs are concerned it's irrelevant.
            mdsmedia
          • You are a joke

            "I quite clearly stated that IE7 on Vista was not vulnerable... and it isn't."
            -------------------
            "There is certainly a vulnerability in IE7 on Vista and I'm not denying that"
            -------------------
            I think you should get your line straight before you go off blasting people and their intelligence...you state exact opposites in nearly back to back posts...nice job...do you work for the government?
            cuba_pete@...
        • The problem isn't Vista, the problem's IE. Vista can't solve that.

          'You make this sound like a trivial endeavor, much like "If I can fool someone into running my trojan with administrator rights, then I'll own their machine and prove that Windows sucks."'

          Trivial, no. Over the past decade I have only found a couple of approaches that let me use security zones to elevate the privilege of a web page. Individual exploits for this vulnerability can be countered, one by one, but still... there have been hundreds of successful attacks on this flaw over the years, by various people.

          Trivial, no. A significant barrier... clearly not.

          "Try opening a trusted zone URL from an IE7 window that was displaying untrusted content and Vista will display a popup"

          As I said, many individual exploits have been discovered and countered. The fact remains that the underlying design still depends on the HTML control keeping track of the security zone and detecting when a page is opened in an unexpected zone. And the HTML control does not, in principle, have enough information to make that decision.

          Protected mode mitigates the damage. In protected mode, you're running as a user with reduced privileges. So at most you can execute code in protected mode. That's not so great a protection... a program in protected mode can still write to the disk (otherwise it couldn't save cookies), read from the disk, open network connections.

          The files in your account may be safe, but your credit cards, bank account, tax and mortgage information, email, none of these are safe.

          Security is like sex. Once you're penetrated, you're ****ed. that's true even on a modern operating system like Windows NT (under whatever name you give it). It's much too good an OS to make Microsoft's raping of its security by things like the HTML control and other Legacy windows applications at all attractive.
          Resuna
          • Clarify your point

            If your point was that no OS is safe, okay, point made. The undeniable fact is that Vista has proactively protected not only my system files but my user files as well. Vista can't "solve" the exploit but it can neuter it which, in my books, is good enough until MS patches this vulnerability.

            [i]Security is like sex. Once you're penetrated, you're ****ed.[/i]

            Do you log in to your *nix box as root? Why not? If what you wrote was true, no one would bother with restricted rights account. If security is like sex then there are different levels of penetration. This PoC has a 1/2 inch "member" if you get my drift. It isn't penetrating anything. :)
            NonZealot