Users Vulnerable to Online Attacks using Website Cookies with Malicious Content
BOSTON, MA – August 13, 2008 – Core Security Technologies, provider of CORE IMPACT, the most comprehensive product for proactive enterprise security testing, today issued an advisory disclosing a vulnerability that could leave millions of individuals and businesses using Microsoft’s Internet Explorer Web browser open to online attacks.
A researcher from CoreLabs, the research arm of Core Security, discovered that when affected versions of Internet Explorer access a remote site, the browser will not apply the right security permissions, thus allowing unknown sites or applications to be treated as trusted URLs. This could potentially lead to malicious or infected websites remotely executing code on devices running the affected versions of IE, via scripting code delivered within the website’s cookies, and without the end users’ knowledge or permission to do so.
“The discovery of this vulnerability in IE highlights that no vendor is immune to the perils of Web browser software security,” said Ivan Arce, CTO at Core Security Technologies. “Today’s web browsers expose a significant attack surface and have complex interactions with other components of the operating system. Even after extensive and systematic scrutiny during the software development lifecycle vendors may fail to identify serious flaws such as this one.”
The flaw affects versions IE 5, 6 and 7 under Windows 2000/2003/XP, and IE 7 under Windows Vista. Beta versions of Internet Explorer 8 are also vulnerable. The ability to exploit the flaw has been confirmed on all vulnerable versions of Internet Explorer, except IE 7 on Windows Vista running in protected mode, which is the browser’s default setting.
To enforce security policies, Internet Explorer utilizes a feature known as URL Security Zones, which defines a set of privileges and access restrictions for websites and applications depending on their level of trustworthiness. For example, URL Security Zones may allow a given website, identified by its URL, to perform functions such as accessing and/or modifying local computer files, executing scripting code within the browser, installing browser plug-ins with or without user consent, or running new applications or arbitrary Windows shell commands.
The five Security Zones included in Internet Explorer allow users to apply increasingly strict security restrictions on individual to websites based on their URLs. The browser’s security mechanisms prevent sites associated with a more restrictive zone from executing some actions that require the added privileges of a less restrictive one.
Based on CoreLabs’ research, in some cases when a remote site attempts to access a local resource, affected versions of Internet Explorer will fail to enforce so-called “Zone Elevation” restrictions, allowing a less-privileged site or application to trick the browser into treating it as if it belongs to a more privileged zone.
By taking advantage of this flaw, attackers could potentially execute code remotely on affected machines with or without end-user interaction. Exploitation of the flaw can be launched from untrusted websites that transfer cookies with scripting code to the browser and redirect the user’s browser using a UNC path to the local file system, forcing it to parse the cached cookie with the MHTML protocol handler.
For more information on this vulnerability and the systems affected, please visit:
Microsoft has acknowledged the described vulnerability and issued a security patch for the problem on Aug. 12, 2008.
This vulnerability was discovered and researched by Jorge Luis Alvarez Medina from the Security Consulting Services (SCS) team at Core Security Technologies.
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.
About Core Security Technologies
Core Security Technologies is the leader in comprehensive security testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company’s CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
Tim Whitman or Megan Prock