Secunia Logo
Netsikker nu! 2008
 
Internet Explorer Security Zone Bypass and Address Bar Spoofing
Secunia Advisory: SA11830
Release Date: 2004-06-11
Last Update: 2005-02-10
Popularity: 60,045 views

Critical:
Highly critical
Impact: Security Bypass
Spoofing
Where: From remote
Solution Status: Vendor Patch

Software:Microsoft Internet Explorer 6.x

Subscribe: Instant alerts on relevant vulnerabilities


Description:
bitlance winter has reported a vulnerability in Internet Explorer (IE), allowing malicious people to bypass security zones or conduct phishing attacks.

The vulnerability is caused due to an error within the handling of URLs, which may cause IE to view a web site in context of another less secure security zone than intended.

Example:
http://[trusted_site]%2F%20%20%20.[malicious_site]/

Successful exploitation may allow a web page to be displayed in context of another domain e.g. in the "Trusted sites" or "Local intranet" security zones. However, a malicious web site's domain has to support wildcard DNS and accept invalid values in the "Host:" header.

The issue can also be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way. This may lead users to believe that they're visiting another web site than the displayed web site.

The vulnerability has been confirmed on a fully patched Windows XP system with IE 6.0. Other versions may also be affected.

NOTE: The vulnerability may present a greater risk on systems, where predictable domains are in the "Trusted sites" zone. This can also be combined with other unfixed vulnerabilities to bypass mitigating steps, where Active Scripting has been disabled for all zones but "Trusted sites".

UPDATE: A sample exploit has been posted which can place arbitrary content in the Startup folder and possibly other locations using the inherently insecure Microsoft Windows "shell:" URI handler functionality. The exploit utilises the fact that Internet Explorer believes that it is operating in the "Trusted sites" zones to access the "shell:" URI handler. This exploit has been confirmed to work on a fully patched system running Internet Explorer 6 and Windows XP SP1.

The exploit requires the user to drag'n'drop an image to a different place on the webpage. However, it may be possible to trigger a drag'n'drop event by a single click using issue 2 in:
SA12048

Solution:
The vulnerability has been fixed silently in some cumulative security update.

Provided and/or discovered by:
bitlance winter
Sample exploit by http-equiv

Changelog:
2004-07-19: Changed rating to Highly critical. Updated description.
2005-02-10: Updated "Solution" section.


Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.

Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
  
Latest Advisories

Today
New advisories: 7
New vulnerabilities: 15
Updated advisories: 11

Less // 142 views
Debian update for openldap
Moderately // 119 views
Debian update for ruby1.9
Moderately // 123 views
Debian update for ruby1.8

10th Oct, 2008
New advisories: 15
New vulnerabilities: 83
Updated advisories: 39


Solutions | More...  


Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.

Ideas, suggestions, and other feedback are most welcome.

Most Popular - 3 Hours

1. Apache Tomcat "RemoteFilterValve" Security Bypass Security Issue // 129 views
2. Debian update for openldap // 105 views
3. Debian update for ruby1.8 // 93 views
4. GuildFTPd "LIST" Processing Buffer Overflow Vulnerability // 92 views
5. Debian update for ruby1.9 // 87 views
6. Sun Java System Web Proxy Server FTP Subsystem Buffer Overflow // 40 views
7. CUPS Multiple Vulnerabilities // 36 views
8. Apple Mac OS X Security Update Fixes Multiple Vulnerabilities // 32 views
9. Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities // 29 views
10. Red Hat update for cups // 28 views