Successful exploitation may allow a web page to be displayed in context of another domain e.g. in the "Trusted sites" or "Local intranet" security zones. However, a malicious web site's domain has to support wildcard DNS and accept invalid values in the "Host:" header.
The issue can also be exploited to potentially trick users into supplying sensitive information to a malicious web site, because information displayed in the address bar can be constructed in a certain way. This may lead users to believe that they're visiting another web site than the displayed web site.
The vulnerability has been confirmed on a fully patched Windows XP system with IE 6.0. Other versions may also be affected.
NOTE: The vulnerability may present a greater risk on systems, where predictable domains are in the "Trusted sites" zone. This can also be combined with other unfixed vulnerabilities to bypass mitigating steps, where Active Scripting has been disabled for all zones but "Trusted sites".
UPDATE: A sample exploit has been posted which can place arbitrary content in the Startup folder and possibly other locations using the inherently insecure Microsoft Windows "shell:" URI handler functionality. The exploit utilises the fact that Internet Explorer believes that it is operating in the "Trusted sites" zones to access the "shell:" URI handler. This exploit has been confirmed to work on a fully patched system running Internet Explorer 6 and Windows XP SP1.
The exploit requires the user to drag'n'drop an image to a different place on the webpage. However, it may be possible to trigger a drag'n'drop event by a single click using issue 2 in: SA12048
Solution: The vulnerability has been fixed silently in some cumulative security update.
Provided and/or discovered by: bitlance winter
Sample exploit by http-equiv
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Internet Explorer Security Zone Bypass and Address Bar Spoofing
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.