| New User, Welcome! Login |
Next Page >>
IE 8
MSRC responds that patches to IE ship every two months and the next
available ship date will be February 10th. The case is currently rated
as an Important class Information Disclosure vulnerability. Vendor
provides a list of affected components and platforms. The MSRC was able
to reproduce this issue on all IE versions with the following
exceptions: IE7 and IE8 in Windows Vista when Protected Mode is ON. In
spite of that MSRC does not include IE8 in list of affected components
because it is still a beta product.
. 2009-01-08:
Core asks MSRC if it is still on track to release patches on February
9. *Report Timeline*
. 2009-04-17:
Core Security Technologies sends proof-of-concept code for the URLMON
sniffing vulnerability in IE8 to Microsoft. The code is deemed as an
exploit variant for Internet Explorer bug that has already been patched
in IE 8 but its part of an ongoing report for other IE versions.
. 2009-06-01:
Microsoft says that the PoC corresponds to a separate bug than the one
Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection
May 12th, 2009
Conventions:
Attacker Domain - Securethoughts.com
Target Domain - 50webs.com
If you don’t remember, there was an important XSS vulnerability reported in all major browsers a while ago - IE7, Firefox and Opera. More Information is available in the Secunia advisories http://secunia.com/advisories/search/?search=utf-7+charset+inheritance. The vulnerability was that if you don’t specify a charset in your application page, then it is susceptible to inherit the charset in the parent page via iframes. So, if you accidently land on an evil site, an attacker might be able to steal your application session since your usual XSS prevention stuff [<,>,",',etc] will not filter the utf-7 encoded chars and XSS will execute in your vulnerable domain. Proof of Concept that works in IE7 but not in IE8 -
http://www.securethoughts.com/security/ie8utf7/ie7utf-7.html
This exploit for firefoxurl protocol works in Mozilla Firefox 3.0.19 (and
besides previous versions, it must work in 3.5.x and 3.6.x), Internet
Explorer 6 (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google
Chrome 1.0.154.48 and Opera 9.52.
In browsers Firefox, Chrome and IE8 occurs blocking and overloading of the
system, and IE6 crashes. At that, if to allow automatic start of the program
handler of this protocol in Firefox, by setting checkbox, then there will be
no blocking of the browser, nor the system in it. And in Opera the attack is
going without blocking, only resources consumption (more slowly then in
other browsers).
between the browser and the server,leading loss of integrity.
This issue can be dangerous , because if you are running
Wowd client , you have all of this vulnerabilities because
this issue can be exploited accross all browsers,
include ie8 with the XSS filter ( WoW ! )
#################
Versions
################·
previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
(6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
1.0.154.48 and Opera 9.52.
In all mentioned browsers occurs blocking and overloading of the system from
starting of Opera, which appeared as news-client at my computer, and IE8
crashes (at computer without Opera). And in Opera the attack is going
without blocking, only resources consumption (more slowly then in other
browsers).
http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html
Hello Jeremiah!
It's possible that Microsoft made IE8 more stable then IE6, so you have such
result with this exploit.
Also take into account the hardware of your computer. If your computer is
powerful enough, then this attack on IE8 and even on IE6 and IE7 can be not
so effective (because it's resource consumption in case of IE as I wrote),
as it can be at not powerful computers. And many people in the world have
not so powerful computers.
For IE7:
[color=#000000;xss:expression(alert('Sysdream_IE7_Alert'));]Sysdream Testing
XSS[/color]
Obviously, the POC doesn't work in IE8 and Firefox.
But, but , but...
Uploading htc (for IE8) or xml (for FF) file on the phorum using the "My
Files" function in "Control Center", you can use :
previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
(6.0.2900.2180), Google Chrome 1.0.154.48 and Opera 9.52.
For work of exploit the WebMoney Keeper Classic must be installed. In
browsers Firefox and IE occurs blocking and overloading of the system from
starting of WebMoney Keeper (also must work in IE8, but there was no
WebMoney Keeper at the computer with IE8 to check it). In Chrome occurs
blocking of the browser. And in Opera the attack is going without blocking,
only resources consumption (more slowly then in other browsers).
http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit5.html
Microsoft Internet Explorer DoS in Rendering Malicious PNG Files.
*Version Affected:*
IE 7 / IE 8 BETA
*Severity:*
Intermediate
*Background:*
Mshtml.dll is a standard library which is responsible for rendering
>>> (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
>>> 1.0.154.48 and Opera 9.52.
>>>
>>> In all mentioned browsers occurs blocking and overloading of the system
>>> from
>>> starting of Opera, which appeared as news-client at my computer, and IE8
>>> crashes (at computer without Opera). And in Opera the attack is going
>>> without blocking, only resources consumption (more slowly then in other
>>> browsers).
>>>
>>> http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html
Description
-----------
We could not find out the definitive description for Internet Explorer from Microsoft website. This is our own understanding of the application: Internet Explorer is a web browser.
We have discovered a remote DoS vulnerability in Internet Explorer 7 and 8. When visit a malicious page, the browser may freeze indefinitely and killing it in Task Manager is required. With IE8's default settings, killing the tab process simply launches another process and goes to the same malicious page, hence repeating the cycle. The root cause is unknown to us. We suspect that it is related to the display of unprintable characters on Windows XP, and Vista. The same problem does not occur in Windows 7.
Microsoft has classified this vulnerability as a stability (not security) issue and will be addressing it in the next version of the application.
Workaround
----------
> (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
> 1.0.154.48 and Opera 9.52.
>
> In all mentioned browsers occurs blocking and overloading of the
> system from
> starting of Opera, which appeared as news-client at my computer, and IE8
> crashes (at computer without Opera). And in Opera the attack is going
> without blocking, only resources consumption (more slowly then in other
> browsers).
>
> http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html
>> (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
>> 1.0.154.48 and Opera 9.52.
>>
>> In all mentioned browsers occurs blocking and overloading of the system
>> from
>> starting of Opera, which appeared as news-client at my computer, and IE8
>> crashes (at computer without Opera). And in Opera the attack is going
>> without blocking, only resources consumption (more slowly then in other
>> browsers).
>>
>> http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html
remind you about it.
I know this vulnerability for a long time - it's well-known DoS in IE. It
works in IE6 and after release of IE7 I hoped that Microsoft fixed this hole
in seventh version of the browser. But as I tested at 29.09.2008, IE7 was
also vulnerable to this attack. And as I tested recently, IE8 is also
vulnerable to this attack.
Also I informed Microsoft at 01.10.2008 about it, but they ignored and
didn't fix it. They didn't fix the hole not in IE6, nor in IE7, nor in IE8.
And as I checked at 16.05.2010, to this vulnerability are vulnerable web
browsers Firefox 3.0.19 and Opera 9.52. And I created exploit for conducting
of DoS attack on Firefox.
Also I found possibility to open email client via iframe with mailto: URL.
Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I created
exploit for conducting of attack on all browsers, which I called DoS via
email. This attack can be conducted as with using JS, as without it (via
creating of page with large quantity of iframes).
If attack via images at a page (which open email client) is only discomfort,
--------------------
Affected Software
------------------------
At least Microsoft Windows XP, and Windows Server 2003 are affected. The attack
is enhanced against IE >= 8 and other major browsers if Windows Media Player is
available, but an installation is still vulnerable without it.
Machines running version of IE less than 8 are, as usual, in even more trouble.
In general, choice of browser, mail client or whatever is not relevant, they
type by parsing the content the web-server returns instead of obeying
the proper headers.
This vulnerability can be triggered on any Wordpress instalation with
the NextGEN Gallery extension installed by visiting the following URL
on a browser with this issue. If using IE 8 the XSS Filter must be
turned off.
/-----
http://localhost/wordpress/wp-content/plugins/nextgen-gallery/xml/media-rss.php?mode=%3Cscript%3Ealert(1)%3C/script%3E
- -----/
> conducting
> of DoS attack on Firefox.
>
> Also I found possibility to open email client via iframe with mailto:
> URL.
> Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I
> created
> exploit for conducting of attack on all browsers, which I called DoS via
> email. This attack can be conducted as with using JS, as without it (via
> creating of page with large quantity of iframes).
>
4. *Vulnerable packages*
. IE 6
. IE 7
. IE 8
. MS Office XP
. MS Office 2003
. MS Office 2007 and MS Office 2010 (the control is disabled by default)
Vulnerable version is Mozilla Firefox 3.0.11 and previous versions (and also
Firefox 3.5).
Vulnerable version is Internet Explorer 6 (6.0.2900.2180) and previous
versions. And potentially next versions (IE7 and IE8).
Vulnerable version is Opera 9.52 and previous versions (and potentially next
versions too).
Vulnerable version is Google Chrome 2.0.172 and previous versions. At that
>>> conducting
>>> of DoS attack on Firefox.
>>>
>>> Also I found possibility to open email client via iframe with mailto:
>>> URL.
>>> Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I
>>> created
>>> exploit for conducting of attack on all browsers, which I called DoS
>>> via
>>> email. This attack can be conducted as with using JS, as without it
>>> (via
>> conducting
>> of DoS attack on Firefox.
>>
>> Also I found possibility to open email client via iframe with mailto:
>> URL.
>> Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I
>> created
>> exploit for conducting of attack on all browsers, which I called DoS via
>> email. This attack can be conducted as with using JS, as without it (via
>> creating of page with large quantity of iframes).
>>
Although Internet Explorer 8 may call CDispNode::SetExpandedClipRect
during an attempted exploitation, it only does so for CDispContainer
and CDispLeafNode instances with non-zero extra size indices, never
(as far as I can tell) for a CDispScroller instance with an extra size
index of 0 (although such instances are still used). Presumably IE8
contains a silent fix for the flawed logic that allowed the incorrect
SetExpandedClipRect call to happen.
I'm not planning to release an update to last week's unofficial patch
(http://www.securityfocus.com/archive/1/508006), but if anyone wants
* If a page contains multiple nearby injection points, attacks can be
constructed that thwart the XSS Filter."
>>>
For more information about the Anti-XSS filter:
http://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-
philosophy-in-depth.aspx
In order to understand the contents of this advisory, the reader must be
familiar with the concept of CRLF which is distinguished from CRSF.
http://www.owasp.org/index.php/CRLF_Injection
--------------------
Affected Software
------------------------
At least Microsoft Windows XP, and Windows Server 2003 are affected. The attack
is enhanced against IE >= 8 and other major browsers if Windows Media Player is
available, but an installation is still vulnerable without it.
Machines running version of IE less than 8 are, as usual, in even more trouble.
In general, choice of browser, mail client or whatever is not relevant, they
> --------------------
> Affected Software
> ------------------------
>
> At least Microsoft Windows XP, and Windows Server 2003 are affected. The attack
> is enhanced against IE >= 8 and other major browsers if Windows Media Player is
> available, but an installation is still vulnerable without it.
>
> Machines running version of IE less than 8 are, as usual, in even more trouble.
>
> In general, choice of browser, mail client or whatever is not relevant, they
this ID is pure sequential (1,2,3,4...) but in IE I was getting "weird"
IDs. Later on I discovered that those IDs turned out to be a heap
address plus a counter.
We are leaking a pointer from a segment of the IE8's default process
heap. But, what is that pointer? Why does it increment everytime I press
the button? Let's see the technical analysis:
Inside CWindow's constructor (mshtml's standard) a variable "IDEvent",
is initialized to 1
3. It has become more smoother and direct in the functionality.
The software tested against this rule set is mentioned below:
1. Google Chrome Browser
2. Google Chrome Frame. (IE8)
Both are installed on x64 systems running windows vista and IE8. The
test is based on the script code designed to show the tab crashing in
controlled manner.
warns users that they are about to launch an external program. Thus, for
an attack to be successful, target user will have to allow the Windows
Contacts program to be executed. An example of such a warning dialog is
shown in figure 6.
http://www.akitasecurity.nl/advisory/AK20090402/006_ie8_ldap_protocol_warning.png
Figure 6: Browser warning when opening ldap URLs
In addition, on Windows Vista, Windows Contacts will be started outside
Protected Mode. Because of this, a second warning dialog will be shown.
Next Page>>
|
|
|
