[ISN] IE 6 Privacy Features Open Users To Attack - Expert

From: InfoSec News (isnat_private)
Date: Tue Apr 23 2002 - 22:49:16 PDT

  • Next message: InfoSec News: "[ISN] Cyber service not a 'great deal'"

    http://www.newsbytes.com/news/02/176077.html
    
    By Brian McWilliams, Newsbytes
    REDMOND, WASHINGTON, U.S.A.,
    23 Apr 2002, 12:47 PM CST
     
    Security flaws in privacy features added to Microsoft's Web browser
    could enable attackers to perform several privacy-robbing attacks,
    including hijacking victims' MSN Messenger accounts, a security
    researcher warned.
    
    According to Thor Larholm, a developer with Denmark-based Internet
    portal Jubii.dk, "severe" bugs in the "Privacy Report" feature in
    Internet Explorer version 6 can be exploited "in effect removing all
    privacy."
     
    Last week, Larholm posted an advisory and harmless demonstrations of
    the flaws at his personal Web site. One example showed how the browser
    bugs enable a Web site to launch programs that exist on the user's
    hard disk. Another demo page silently sends a message to users in the
    target's MSN Messenger contact list.
    
    "Hello, my MSN has just been h4><0r3d. However, this is nothing
    to be worried about. Your MSN is fine. The person who sent this would
    probably like a reply though, to show that it worked," read the
    instant message transmitted by Larholm's demonstration.
    
    Larholm said the IE flaws also enable an attacker to steal a victim's
    browser cookies. Cookie files are sometimes used by the browser to
    authenticate users and allow them to access sites. Larholm did not
    provide a demonstration of the cookie-stealing exploit.
    
    According to Larholm, he notified Microsoft about the IE
    vulnerabilities on March 18. The researcher said he decided to
    publicize his findings because he felt Microsoft was not giving the
    flaws proper consideration.
    
    "After a month, they are still only at a stage where they are
    considering whether to patch it," said Larholm in an interview today.
    
    A Microsoft representative said the company was still investigating
    the issue and declined further comment.
    
    Larholm said the security flaws lie in an IE feature for creating
    dialog windows. The browser fails to perform proper validation
    checking when a privacy dialog window interacts with a remote site, he
    said.
    
    By clicking an icon in the browser's status bar, IE 6 users can view a
    privacy report when they visit a site. The report enables users to
    control how the browser handles cookies from the site and to view its
    privacy policy.
    
    Disabling IE's use of JavaScript prevents the flaws from being
    exploitable, according to Larholm.
    
    In response to Larholm's advisory, GreyMagic Software of Israel said
    it found similar dialog-related flaws in another IE resource named
    Analyze.dlg. According to GreyMagic, earlier versions of Microsoft's
    browser, including IE 5 and IE 5.5, as well as IE 6, are vulnerable to
    the attack.
    
    Larholm's advisory is at /
    
    GreyMagic's advisory is at /
    
    Microsoft's description of privacy features in IE is at
    http://www.microsoft.com/windows/ie/evaluation/overview/privacy.asp
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 01:43:04 PDT