Language:
switch to room list switch to menu My folders
Go to page: [1] 2 3 4 5 ... Last
↑↑↑ Old messages ↑↑↑            ↓↓↓ New messages ↓↓↓
[#] Fri Jun 11 2004 16:43:08 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA04-163A -- Cross-Domain Redirect Vulnerability in Internet Explorer

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Technical Cyber Security Alert TA04-163A

Cross-Domain Redirect Vulnerability in Internet Explorer

Original release date: June 11, 2004
Last revised: --
Source: US-CERT


Systems Affected

Microsoft Windows systems


Overview

A cross-domain vulnerability in Internet Explorer (IE) could allow an
attacker to execute arbitrary code with the privileges of the user
running IE.


I. Description

There is a cross-domain vulnerability in the way IE determines the
security zone of a browser frame that is opened in one domain then
redirected by a web server to a different domain. A complex set of
conditions is involved, including a delayed HTTP response (3xx status
code) to change the content of the frame to the new domain.
Vulnerability Note VU#713878 describes this vulnerability in more
technical detail and will be updated as further information becomes
available.

Other programs that host the WebBrowser ActiveX control or use the
MSHTML rendering engine, such as Outlook and Outlook Express, may also
be affected.

This issue has been assigned CVE CAN-2004-0549.


II. Impact

By convincing a victim to view an HTML document (web page, HTML
email), an attacker could execute script in a different security
domain than the one containing the attacker's document. By causing
script to be run in the Local Machine Zone, the attacker could execute
arbitrary code with the privileges of the user running IE.

Publicly available exploit code exists for this vulnerability, and
US-CERT has monitored incident reports that indicate that this
vulnerability is being actively exploited.


III. Solution

Until a complete solution is available from Microsoft, consider the
following workarounds.

Disable Active scripting and ActiveX controls

Disabling Active scripting and ActiveX controls in the Internet Zone
(or any zone used by an attacker) appears to prevent exploitation of
this vulnerability. Disabling Active scripting and ActiveX controls in
the Local Machine Zone will prevent widely used payload delivery
techniques from functioning. Instructions for disabling Active
scripting in the Internet Zone can be found in the Malicious Web
Scripts FAQ. See Microsoft Knowledge Base Article 833633 for
information about securing the Local Machine Zone. Also, Service Pack
2 for Windows XP (currently at RC1) includes these and other security
enhancements for IE.

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages,
web forums, or internet relay chat (IRC) channels. While this is
generally good security practice, following this behavior will not
prevent exploitation of this vulnerability in all cases.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and
prevent some exploit attempts. Variations of exploits or attack
vectors may not be detected. Do not rely solely on anti-virus software
to defend against this vulnerability. More information about viruses
and anti-virus vendors is available on the US-CERT Computer Virus
Resources page.


Appendix B. References

* Vulnerability Note VU#713878-
<http://www.kb.cert.org/vuls/id/713878>

* Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps>

* Computer Virus Resources -
<http://www.us-cert.gov/other_sources/viruses.html>

* CVE CAN-2004-0549 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549>

* Microsoft Knowledge Base Article 833633 -
<http://support.microsoft.com/default.aspx?scid=833633>

* Windows XP Service Pack 2 RC1 -
<http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wi
nxpsp2.mspx>

* Increase Your Browsing and E-Mail Safety -
<http://www.microsoft.com/security/incident/settings.mspx>

* Working with Internet Explorer 6 Security Settings -
<http://www.microsoft.com/windows/ie/using/howto/security/settings
.mspx>

_________________________________________________________________


Public incidents related to this vulnerability were reported by Rafel
Ivgi. Thanks to Jelmer for further research and analysis.

_________________________________________________________________


Feedback can be directed to the author: Art Manion.

Send mail to <mailto:cert@cert.org>.

Please include the Subject line "TA04-163A Feedback VU#713878".

_________________________________________________________________


Copyright 2004 Carnegie Mellon University.

Terms of use: <http://www.us-cert.gov/legal.html>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA04-163A.html>

_________________________________________________________________


Revision History

June 11, 2004: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAyhdcXlvNRxAkFWARAt2eAKCRDeqWLNgG+xXJtd0PyRGeN+S69ACfcXoi
GDMew8rDUjleel9OLMqs9W4=
=ZAyn
-----END PGP SIGNATURE-----

[#] Fri Jun 11 2004 16:52:35 EDT from "CERT Advisory" <cert-advisory@cert.org> to cert-advisory@cert.org

Subject: US-CERT Technical Cyber Security Alert TA04-163A -- Cross-Domain Redirect Vulnerability in Internet Explorer

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Technical Cyber Security Alert TA04-163A

Cross-Domain Redirect Vulnerability in Internet Explorer

Original release date: June 11, 2004
Last revised: --
Source: US-CERT


Systems Affected

Microsoft Windows systems


Overview

A cross-domain vulnerability in Internet Explorer (IE) could allow an
attacker to execute arbitrary code with the privileges of the user
running IE.


I. Description

There is a cross-domain vulnerability in the way IE determines the
security zone of a browser frame that is opened in one domain then
redirected by a web server to a different domain. A complex set of
conditions is involved, including a delayed HTTP response (3xx status
code) to change the content of the frame to the new domain.
Vulnerability Note VU#713878 describes this vulnerability in more
technical detail and will be updated as further information becomes
available.

Other programs that host the WebBrowser ActiveX control or use the
MSHTML rendering engine, such as Outlook and Outlook Express, may also
be affected.

This issue has been assigned CVE CAN-2004-0549.


II. Impact

By convincing a victim to view an HTML document (web page, HTML
email), an attacker could execute script in a different security
domain than the one containing the attacker's document. By causing
script to be run in the Local Machine Zone, the attacker could execute
arbitrary code with the privileges of the user running IE.

Publicly available exploit code exists for this vulnerability, and
US-CERT has monitored incident reports that indicate that this
vulnerability is being actively exploited.


III. Solution

Until a complete solution is available from Microsoft, consider the
following workarounds.

Disable Active scripting and ActiveX controls

Disabling Active scripting and ActiveX controls in the Internet Zone
(or any zone used by an attacker) appears to prevent exploitation of
this vulnerability. Disabling Active scripting and ActiveX controls in
the Local Machine Zone will prevent widely used payload delivery
techniques from functioning. Instructions for disabling Active
scripting in the Internet Zone can be found in the Malicious Web
Scripts FAQ. See Microsoft Knowledge Base Article 833633 for
information about securing the Local Machine Zone. Also, Service Pack
2 for Windows XP (currently at RC1) includes these and other security
enhancements for IE.

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages,
web forums, or internet relay chat (IRC) channels. While this is
generally good security practice, following this behavior will not
prevent exploitation of this vulnerability in all cases.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and
prevent some exploit attempts. Variations of exploits or attack
vectors may not be detected. Do not rely solely on anti-virus software
to defend against this vulnerability. More information about viruses
and anti-virus vendors is available on the US-CERT Computer Virus
Resources page.


Appendix B. References

* Vulnerability Note VU#713878-
<http://www.kb.cert.org/vuls/id/713878>

* Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps>

* Computer Virus Resources -
<http://www.us-cert.gov/other_sources/viruses.html>

* CVE CAN-2004-0549 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549>

* Microsoft Knowledge Base Article 833633 -
<http://support.microsoft.com/default.aspx?scid=833633>

* Windows XP Service Pack 2 RC1 -
<http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wi
nxpsp2.mspx>

* Increase Your Browsing and E-Mail Safety -
<http://www.microsoft.com/security/incident/settings.mspx>

* Working with Internet Explorer 6 Security Settings -
<http://www.microsoft.com/windows/ie/using/howto/security/settings
.mspx>

_________________________________________________________________


Public incidents related to this vulnerability were reported by Rafel
Ivgi. Thanks to Jelmer for further research and analysis.

_________________________________________________________________


Feedback can be directed to the author: Art Manion.

Send mail to <mailto:cert@cert.org>.

Please include the Subject line "TA04-163A Feedback VU#713878".

_________________________________________________________________


Copyright 2004 Carnegie Mellon University.

Terms of use: <http://www.us-cert.gov/legal.html>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA04-163A.html>

_________________________________________________________________


Revision History

June 11, 2004: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAyhdcXlvNRxAkFWARAt2eAKCRDeqWLNgG+xXJtd0PyRGeN+S69ACfcXoi
GDMew8rDUjleel9OLMqs9W4=
=ZAyn
-----END PGP SIGNATURE-----

[#] Sat Jun 19 2004 18:00:58 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Does this work?

[Reply] [ReplyQuoted] [Headers] [Print]

Just trying something new.

[#] Sat Jun 19 2004 18:00:58 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Does this work?

[Reply] [ReplyQuoted] [Headers] [Print]

(no text)

[#] Sat Jun 19 2004 18:00:58 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Does this work?

[Reply] [ReplyQuoted] [Headers] [Print]

(no text)

[#] Sat Jun 19 2004 18:00:58 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Does this work?

[Reply] [ReplyQuoted] [Headers] [Print]

(no text)

[#] Sat Jun 19 2004 18:08:16 EDT from Freakdog @ Dog Pound BBS II

[Reply] [ReplyQuoted] [Headers] [Print]

Did anyone else get that 4 times?

[#] Sat Jun 19 2004 18:09:15 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Checking somethign else out

[Reply] [ReplyQuoted] [Headers] [Print]

Log was showing some sort of error about connection refused trying to talk to spamassassin on my server, so I'm trying this again, after restarting spamd.

[#] Sat Jun 19 2004 18:11:34 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Again

[Reply] [ReplyQuoted] [Headers] [Print]

Still got that, so I'm trying something else, and going again.

[#] Sat Jun 19 2004 18:09:15 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Checking somethign else out

[Reply] [ReplyQuoted] [Headers] [Print]

(no text)

[#] Sat Jun 19 2004 18:11:34 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Again

[Reply] [ReplyQuoted] [Headers] [Print]

(no text)

[#] Sat Jun 19 2004 18:09:15 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Checking somethign else out

[Reply] [ReplyQuoted] [Headers] [Print]

(no text)

[#] Sat Jun 19 2004 18:11:34 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Again

[Reply] [ReplyQuoted] [Headers] [Print]

(no text)

[#] Sat Jun 19 2004 18:11:34 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Again

[Reply] [ReplyQuoted] [Headers] [Print]

(no text)

[#] Sat Jun 19 2004 18:09:15 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Checking somethign else out

[Reply] [ReplyQuoted] [Headers] [Print]

(no text)

[#] Sat Jun 19 2004 18:32:45 EDT from Freakdog @ MCM Groups

[Reply] [ReplyQuoted] [Headers] [Print]

Apparently, nobody else got that...although I know that I saw the message go into the outbound spools.

[#] Sat Jun 19 2004 21:36:22 EDT from Patriot @ PixelBBS

[Reply] [ReplyQuoted] [Headers] [Print]

Nope. Nothing here.

[#] Sat Jun 19 2004 21:24:15 EDT from Ian M. Shot @ Haven BBS

[Reply] [ReplyQuoted] [Headers] [Print]

I got a bunch of loop zaps from you, 4 of them in fact, but nothing to the room.

[#] Sat Jun 19 2004 23:01:22 EDT from Freakdog @ Dog Pound BBS II

[Reply] [ReplyQuoted] [Headers] [Print]

Really? Loopzaps? Can you post the header from it?

[#] Sat Jun 19 2004 23:04:36 EDT from "Mike Burger" <mburger@bubbanfriends.org> to room_cert-advisory@dogpound2.citadel.org

Subject: Ok...one more try...

[Reply] [ReplyQuoted] [Headers] [Print]

Let's see if Pixel does not resend via email, this time.

Go to page: [1] 2 3 4 5 ... Last