Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE 7.0/8.0b Code Execution 0-Day Released

Posted by kdawson on from the cross-zone-scripting dept.

SecureThroughObscure writes "Security blogger and researcher Nate McFeters blogged about a 0-day exploit affecting IE7 and IE8 beta on XP that was released by noted security researcher Aviv Raff. The flaw is a 'cross-zone scripting' flaw that takes advantage of the fact that printing HTML web pages occurs in the Local Machine Zone in IE rather than in the Internet Zone. Quoting McFeters's post: 'This is currently unpatched and in all of its 0-day glory, so for the time being, beware printing using the "print table of links" option when printing web pages.' McFeters and others will be presenting at Black Hat on the link between cross-site scripting and cross-zone. Rob Carter has been hitting this hard over at his blog, pointing out cross-zone weaknesses in Azureus, uTorrent, and the Eclipse platform."

12 of 131 comments (clear)

  1. Re:0-day by Fast+Thick+Pants · · Score: 5, Informative

    Zero is the answer to the question "How long has the vulnerability that this exploit exploits been patched?" I suppose you could call it a -24 since it probably won't be patched until next month's black Tuesday.

  2. yes, I use it by thisispurefud · · Score: 2, Informative

    People still use Internet Exploder? yes, I use Internet Explorer in Windows Vista that is the safest browser because it runs with the lowest privileges possibile in a sandbox (IE7 Protected mode). In fact IE7 under Vista is not affected by this flaw i.e. remote code execution is not possible (yet another reason to use Vista and UAC).
  3. Re:Proof by myxiplx · · Score: 3, Informative

    I disagree, zones are great, I just wish they'd implemented them better. We use zones as a quick way to enforce across the whole organisation which sites can and can't run scripts. The concept is superb, regular sites can't run scripts, activex, or anything. IT designated 'trusted' sites work fine.

    Unfortunately, IE7 has made things a little more difficult:

    - Pages with content from various zones no longer show up as 'mixed'. Since the upgrade to IE7, all sites only show the zone of the main URL, however the content runs according to the security zone for it's own source. It makes it almost impossible to work out whether a site can or can't run scripts, and you end up digging into the pages source code to work out what sites need adding to the trusted zones to get pages to work.

    - Dynamic scripts added to a page in the 'trusted' zone, execute from the 'internet' zone. This is "by design"... The only workaround is to change the way the code works on the server.

    - If you want to lock down the 'internet' zone, you will need to add "about:internet" to your 'trusted' zone

    - You will also need to add res://ieframe.dll to your 'trusted' zone

  4. Re:you wrong! by morgan_greywolf · · Score: 2, Informative

    scripting is not dangerous unless there's a flaw in javascript.
    If only JavaScript were the only scripting option on IE. Furthermore, JavaScript is one of the primary vectors of attack for Firefox, IE and Opera: what makes you think that an untrusted JavaScript is NOT dangerous?

    you can do it with IE by putting the sites into the different zones.
    Right. Again, see how NoScript does it. Far easier and more convenient for the user, IMHO.

    --
    My blog
  5. Re:0-day by tyler.willard · · Score: 5, Informative

    That's what the term seems to have mutated into, but it wasn't its original intent.

    The whole point of coining the term in the first place was to be able to discuss the unknown; i.e., to be able to assess the potential danger of currently unknown threats. Day-1 refers to disclosure, as such there's no way to talk about a specific 0-day because if you know what it is than it has to at least be day-1.

    Sure it's abstract, but it's an important concept for developing security technologies and security procedures.

    Between product buzzwords and the abstract nature of the term it's almost lost all meaning.

  6. Re:Can it be triggered via javascript? by ruiner13 · · Score: 4, Informative

    You can certainly trigger the window.print() command in the onload, but setting the properties of the dialog to what is needed for this exploit cannot be done. VBScript may allow further printing options, but I suspect the page would first trigger the standard scripting warnings and the user would still be forced to intervene.

    --

    today is spelling optional day.

  7. Re:Must we highlight every bug in IE? by makomk · · Score: 5, Informative

    The Debian OpenSSL bug definitely made the Slashdot home page; you must've missed it. (It was posted on Tuesday, a couple of hours after the official announcement - that's quite fast for Slashdot. This story, on the other hand, obviously wasn't considered as important - I read about it elsewhere a day or two ago.)

  8. Re:Must we highlight every bug in IE? by dissy · · Score: 3, Informative

    In contrast, a far more dangerous bug [debian.org] in the openssl package used by Debian and its derivatives was discovered earlier this week, and doesn't seem to have made the Slashdot home page at all, even though it's probably relevant to a lot of the Slashdot readership and there is real action they can take to fix things. Go figure... It was on the slashdot front page on Tuesday

    http://it.slashdot.org/article.pl?sid=08/05/13/1533212

  9. No by The+MAZZTer · · Score: 4, Informative

    The best you can do is window.print() to bring up the Print dialog. The user would have to select the "Print table of links" option manually and then print to any printer.

  10. Re:Must we highlight every bug in IE? by OMGZombies · · Score: 2, Informative

    In contrast, a far more dangerous bug in the openssl package used by Debian and its derivatives was discovered earlier this week, and doesn't seem to have made the Slashdot home page at all

    You mean, this bug?
  11. Re:0-day by Lincolnshire+Poacher · · Score: 5, Informative

    > The whole "day thing" is about the time between disclosure and patch/signature release.

    Do you have any citation for your assertion?

    The term derives from warez "0-day boards". These were populated by the most elite crackers who had cracked software on the 0th-day of release; that is, the software hit the shelves and was already cracked.

    Try doing a web search for ``0-day'' with a date threshold prior to, say, 1995. You won't find any hits for your interpretation:

    http://www.alltheweb.com/search?advanced=1&cat=web&jsact=&_stype=norm&type=all&q=%220-day%22&itag=crv&l=en&ics=utf-8&cs=iso88591&wf%5Bn%5D=3&wf%5B0%5D%5Br%5D=%2B&wf%5B0%5D%5Bq%5D=&wf%5B0%5D%5Bw%5D=&wf%5B1%5D%5Br%5D=%2B&wf%5B1%5D%5Bq%5D=&wf%5B1%5D%5Bw%5D=&wf%5B2%5D%5Br%5D=-&wf%5B2%5D%5Bq%5D=&wf%5B2%5D%5Bw%5D=&dincl=&dexcl=&geo=&doctype=&dfr%5Bu%5D=on&dfr%5Bd%5D=1&dfr%5Bm%5D=1&dfr%5By%5D=1990&dto%5Bu%5D=on&dto%5Bd%5D=16&dto%5Bm%5D=5&dto%5By%5D=1995&hits=10

    Try USENET for certainty ( blocked in work ).

  12. Re:Irresponsible disclosure by Cal+Paterson · · Score: 1, Informative

    Yes doesn't specify which of the options the answerer has selected; it's not a _proper_ answer, even if it's supposed to be witty.