Next Page >>
Internet Explorer 8.0
. Internet Explorer 7 on Windows Server 2003 sp2 if
Protected Mode is OFF and not using Enhanced Security Configuration
. Internet Explorer 7 on Windows Server 2008 i
if Protected Mode is OFF and
not using Enhanced Security Configuration
. Internet Explorer 8 on Windows XP sp2
. Internet Explorer 8 on Windows XP sp3
. Internet Explorer 8 on Windows Vista sp1
if Protected Mode if OFF
. Internet Explorer 8 on Windows Vista sp2
if Protected Mode is OFF
Aspect9: Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities
Release Date:
December 11, 2008
Date Reported:
October 5, 2008
Severity:
Medium-High (Execute scripts, Turning Protection Off, Transfer data Cross
Opera
-----------------------------
URL: http://websecurity.com.ua/4248/
-----------------------------
Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer
8, Google Chrome, Opera.
-----------------------------
Timeline:
26.05.2010 - found vulnerabilities.
26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
ZDI-09-041: Microsoft Internet Explorer 8 Rows Property Dangling Pointer
Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-041
June 10, 2009
-- CVE ID:
CVE-2009-1532
-- Affected Vendors:
Microsoft
Target Domain - 50webs.com
If you don’t remember, there was an important XSS vulnerability reported in all major browsers a while ago - IE7, Firefox and Opera. More Information is available in the Secunia advisories http://secunia.com/advisories/search/?search=utf-7+charset+inheritance. The vulnerability was that if you don’t specify a charset in your application page, then it is susceptible to inherit the charset in the parent page via iframes. So, if you accidently land on an evil site, an attacker might be able to steal your application session since your usual XSS prevention stuff [<,>,",',etc] will not filter the utf-7 encoded chars and XSS will execute in your vulnerable domain. Proof of Concept that works in IE7 but not in IE8 -
http://www.securethoughts.com/security/ie8utf7/ie7utf-7.html
This vulnerability was patched in Firefox 2.0.0.2, Opera 9.20 and recently in Internet Explorer 8. Ideally, we should not be vulnerable to this attack anymore. However, I have found a way to attack the fix that was done in Internet Explorer 8. I have tested it working with IE8 RC1 and final release version IE8.0.6001.18702. I call this a “Local Redirection Attack”.
The attack works as follows:
1. You are authenticated to vulnerable domain e.g. 50webs.com.
. Windows Server 2008
5. *Non-vulnerable packages*
. Internet Explorer 8 under Windows 2000/2003/XP/Vista
6. *Vendor Information, Solutions and Workarounds*
The following workarounds can prevent exploitation of the vulnerability:
There is a vulnerability in Internet Explorer which enables execution
of arbitrary code if the user visits a web page controlled by the
attacker. The vulnerability is caused by incorrectly validating
integer parameter passed to the 'add' method of the Select HTML
element. This vulnerability has been observed in Internet Explorer 8.
The vulnerability has been patched by Microsoft on October 11, 2011.
II. THE BUG
The bug is caused by incorrectly validating integer parameter passed
------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was tested on Akamai Download Manager version 2.2.4.8 using
Windows XP SP3 running Internet Explorer 6, 7 & 8 and Windows Vista
running Internet Explorer 8.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Akamai reports that this vulnerability should have been fixed in version
IE will fail to load all
subsequent image after an attempt to load the malicious PNG file.
*Detection:*
SecNiche confirmed this vulnerability affects Internet Explorer 7 and
Internet Explorer 8 Beta
on the Microsoft Windows XP SP2 platform.The versions tested are:
7.0.5730
8.0.6001
and other browsers
-----------------------------
URL: http://websecurity.com.ua/4206/
-----------------------------
Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer
8, Google Chrome, Opera and other browsers.
-----------------------------
Timeline:
16.05.2010 - found vulnerability.
17.05.2010 - disclosed at my site.
Opera
-----------------------------
URL: http://websecurity.com.ua/4238/
-----------------------------
Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer
8, Google Chrome, Opera.
-----------------------------
Timeline:
26.05.2010 - found vulnerabilities.
26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
III. AFFECTED PRODUCTS
---------------------------
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
And here vulnerabilities have been not only in the browser but also in plug-ins.
Bank-clients, business software, antivirus software – all of them use ActiveX (for IE)
for clients and here have been and are still many vulnerabilities.
Vendors make steps to defend us from it. Software vendors patch vulnerabilities and OS vendors
use new mechanisms to prevent attacks at all. But security researchers are trying to find way to bypass these mechanisms.
The new versions of browsers (Internet Explorer 8 and FireFox 3.5) use permanent DEP.
And the new versions of OS use the ASLR mechanism. All this makes the old methods of attacks impossible.
But on BlackHat DC 2010 the interesting way to bypass DEP and ASLR in browsers (not only)
and Just-In-Time compilers was presented. This method is called JIT-SPRAY. But here was no one public PoC until now.
In this text we are describe how to write a shellcode for new JIT-Spray attacks and make universal STAGE 0 shellcode
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer 9
Microsoft Internet Explorer 8
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11272.
For further product information on the TippingPoint IPS, visit:
Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution Vulnerability
tested against: Internet Explorer 8
Microsoft Windows Server 2003 r2 sp2
download url:
http://www.oracle.com/technetwork/middleware/epm/downloads/index.html
files tested:
SystemInstaller-11121-win32.zip
by nine:situations:group::pyrokinesis
site: http://retrogod.altervista.org/
software site: http://pack.google.com/intl/it/pack_installer.html
tested against: Internet Explorer 8, windows xp sp3
Internet Explorer 7, windows xp sp3
Google Chrome 2.0.172.43
vulnerability:
through the vulnerable googleapps.url.mailto:// deprecated uri handler, registered as follows:
# Author: MaXe @InterN0T (Found in a private Hatforce.com Penetration
Test)
# Software Link: http://ckeditor.com/ & http://drupal.org/node/1332022
# Version: 3.0 - Current 3.6.2 (Drupal module: 6.x-1.8)
# Screenshot: http://i.imgur.com/8TP6w.png
# Tested on: Windows + FireFox 8.0 & Internet Explorer 8.0
Drupal CKEditor - Persistent / Stored Cross-Site Scripting
6. *Solutions and Workarounds*
On the server side, you can upgrade to a non-vulnerable version. Onthe
client you can use a browser that obeys the Content-Type header
specified by the server, such as Mozilla Firefox, Google Chrome, Apple
Safari or Opera. Internet Explorer 8 with the XSS Filter won't execute
the malicious scripts.
7. *Credits*
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer 8
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9320.
For further product information on the TippingPoint IPS, visit:
C:\> c:\windows\pchealth\helpctr\binaries\helpctr.exe -url "hcp://system/sysinfo/sysinfomain.htm?svr=<script defer>eval(unescape('Run%28%22calc.exe%22%29'))</script>"
C:\>
While this is fun, this isn't a vulnerability unless an untrusted third party
can force you to access it. Testing suggests that by default, accessing an
hcp:// URL from within Internet Explorer >= 8, Firefox, Chrome (and presumably
other browsers) will result in a prompt. Although most users will click through
this prompt (perfectly reasonable, protocol handlers are intended to be safe),
it's not a particularly exciting attack.
I've found a way to avoid the prompt in a default Windows XP installation in all
Affected Software and System:
=============================
Microsoft Internet Explorer 6
Microsoft Internet Explorer 7
Microsoft Internet Explorer 8
Impact:
======
NSFOCUS Security Team discovered a security vulnerability in Microsoft
Tested on:
FortiMail 100 / 400
Firmware version: v4.0,build0245,101208 (MR1 Patch 2)
Internet Explorer 8
https://<fortimail>/module/admin.fe?reqObject=AdminLogin&reqAction=1&name='"<body onload=alert(666)>&password=admin
https://<fortimail>/module/admin.fe?reqObject=AdminLogin&reqAction=1&name=admin&password='"<body onload=alert(666)>
or
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer 8
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9735.
For further product information on the TippingPoint IPS, visit:
which leads to blocking of work of IE.
http://websecurity.com.ua/uploads/2008/IE%20DoS%20Exploit4.html
Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet
Explorer 7 (7.0.6000.16711), Internet Explorer 8 (8.0.7600.16385) and
previous versions.
To Susan Bradley from Bugtraq:
This is one of those cases, which I told you before, when browser vendors
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
----------------------------------------------
Browser: Internet Explorer 8 (Windows)
Browser: Firefox 3.5 (Windows)
Browser: Safari 4 (Windows)
> C:\> c:\windows\pchealth\helpctr\binaries\helpctr.exe -url "hcp://system/sysinfo/sysinfomain.htm?svr=<script defer>eval(unescape('Run%28%22calc.exe%22%29'))</script>"
> C:\>
>
> While this is fun, this isn't a vulnerability unless an untrusted third party
> can force you to access it. Testing suggests that by default, accessing an
> hcp:// URL from within Internet Explorer >= 8, Firefox, Chrome (and presumably
> other browsers) will result in a prompt. Although most users will click through
> this prompt (perfectly reasonable, protocol handlers are intended to be safe),
> it's not a particularly exciting attack.
>
> I've found a way to avoid the prompt in a default Windows XP installation in all
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer 9
Microsoft Internet Explorer 8
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11271.
For further product information on the TippingPoint IPS, visit:
III. AFFECTED PRODUCTS
---------------------------
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6
Microsoft Windows 7 (32-bit)
Microsoft Windows 7 (64x)
>>> -----------------------------
>>> URL: http://websecurity.com.ua/4238/
>>> -----------------------------
>>> Affected products: Mozilla Firefox, Internet Explorer 6, Internet
>>> Explorer
>>> 8, Google Chrome, Opera.
>>> -----------------------------
>>> Timeline:
>>>
>>> 26.05.2010 - found vulnerabilities.
>>> 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
This problem was confirmed in the following versions of Internet Explorer and Windows, other versions
maybe also affected.
Internet Explorer 6 running in All Versions of Windows
Internet Explorer 7 running in All Versions of Windows
Internet Explorer 8 running in All Versions of Windows
MICROSOFT EXPLOTABILITY INDEX
Next Page>>
|
