[Dshield] new IE vulnerabilities

Hill, Keith Keith.Hill at occ.treas.gov
Fri Sep 12 18:44:08 GMT 2003

New "highly critical" vulnerabilities report for IE (are you surprised?).
Unfortunately there are no patches as of yet so just disable active
scripting, ActiveX and plug-ins for yourself and all of the computers you

What, you don't like that answer?


Text of advisory
Multiple vulnerabilities have been identified in Microsoft Internet
Explorer. Some could expose sensitive information others may lead to
execution of arbitrary code.

1) File-protocol proxy / WsOpenFileJPU
A malicious site may retrieve cookie information from other sites by opening
them in the "_search" window. This information may then be retrieved using
the file protocol. It is believed that this could also be exploited to
execute arbitrary code in the context of the other domain including the
local security zone.

2) NavigateAndFind protocol history / NAFjpuInHistory
It is possible to retrieve information and execute JavaScript in the context
of other sites using the "history.back" function. This may also affect the
local security zone.

3) window.open search injection / WsFakeSrc
It is possible to open different sites using "window.open" and access
information and execute JavaScript in this window at any given time. This
may also affect the local security zone.

4) NavigateAndFind file proxy / NAFfileJPU
A combination of the file protocol and the NavigateAndFind function allows
malicious sites to access information and execute code in a different window
and domain. This may also affect the local security zone.

5) Timed history injection / BackMyParent2
It is possible to access information from a site loaded in a different frame
and domain using the "history.back" function.

6) history.back method caching / RefBack
This is a variant of 5) BackMyParent also allowing a site to access
information from a different frame and domain.

7) Click hijacking / HijackClick
This allows malicious sites to trick users into performing actions like
drag'n'drop a resource from one place to another without their knowledge. An
example has been provided allowing sites to add links to "Favorites".
However, resources need not be links and the destination could be different
than "Favorites".

Issues 1-7 have been reported by Liu Die Yu and affect Internet Explorer
with all patches. Several other issues have also been published. These
however, affect Internet Explorer without all patches installed. Thus they
are not concidered relevant as they to some extent are related to previously
fixed vulnerabilities. 
There is no patch for these issues. The only efficient solution is to
disable Active Scripting.

Secunia recommends that you disable Active Scripting, ActiveX and plug-ins
for all sites. You may then allow execution of this for certain trusted
sites on a case by case basis. 
Reported by / credits:
Discovered and published by Liu Die Yu
Additional information from Thor Larholm
Keith Hill
kjhill at cox.net
(703) 577-5487
This message is for the designated recipients only and may contain sensitive
or confidential information. If you have received this message in error,
please notify the sender immediately and delete the original and all copies.
If you received this message in error or are not a designated recipient,
information in this message should not be disclosed and any use of the
information is prohibited.

More information about the list mailing list