IE 7.0/8.0b Code Execution 0-Day Released

SecureThroughObscure writes "Security blogger and researcher Nate McFeters blogged about a 0-day exploit affecting IE7 and IE8 beta on XP that was released by noted security researcher Aviv Raff. The flaw is a 'cross-zone scripting' flaw that takes advantage of the fact that printing HTML web pages occurs in the Local Machine Zone in IE rather than in the Internet Zone. Quoting McFeters's post: 'This is currently unpatched and in all of its 0-day glory, so for the time being, beware printing using the "print table of links" option when printing web pages.' McFeters and others will be presenting at Black Hat on the link between cross-site scripting and cross-zone. Rob Carter has been hitting this hard over at his blog, pointing out cross-zone weaknesses in Azureus, uTorrent, and the Eclipse platform."

Re:0-day

[Fast+Thick+Pants]

Zero is the answer to the question "How long has the vulnerability that this exploit exploits been patched?" I suppose you could call it a -24 since it probably won't be patched until next month's black Tuesday.

Re:0-day

[tyler.willard]

That's what the term seems to have mutated into, but it wasn't its original intent.

The whole point of coining the term in the first place was to be able to discuss the unknown; i.e., to be able to assess the potential danger of currently unknown threats. Day-1 refers to disclosure, as such there's no way to talk about a specific 0-day because if you know what it is than it has to at least be day-1.

Sure it's abstract, but it's an important concept for developing security technologies and security procedures.

Between product buzzwords and the abstract nature of the term it's almost lost all meaning.

Re:Can it be triggered via javascript?

[ruiner13]

You can certainly trigger the window.print() command in the onload, but setting the properties of the dialog to what is needed for this exploit cannot be done. VBScript may allow further printing options, but I suspect the page would first trigger the standard scripting warnings and the user would still be forced to intervene.

Re:Must we highlight every bug in IE?

[makomk]

The Debian OpenSSL bug definitely made the Slashdot home page; you must've missed it. (It was posted on Tuesday, a couple of hours after the official announcement - that's quite fast for Slashdot. This story, on the other hand, obviously wasn't considered as important - I read about it elsewhere a day or two ago.)

No

[The+MAZZTer]

The best you can do is window.print() to bring up the Print dialog. The user would have to select the "Print table of links" option manually and then print to any printer.

Re:0-day

[Lincolnshire+Poacher]

> The whole "day thing" is about the time between disclosure and patch/signature release.

Do you have any citation for your assertion?

The term derives from warez "0-day boards". These were populated by the most elite crackers who had cracked software on the 0th-day of release; that is, the software hit the shelves and was already cracked.

Try doing a web search for ``0-day'' with a date threshold prior to, say, 1995. You won't find any hits for your interpretation:

http://www.alltheweb.com/search?advanced=1&cat=web&jsact=&_stype=norm&type=all&q=%220-day%22&itag=crv&l=en&ics=utf-8&cs=iso88591&wf%5Bn%5D=3&wf%5B0%5D%5Br%5D=%2B&wf%5B0%5D%5Bq%5D=&wf%5B0%5D%5Bw%5D=&wf%5B1%5D%5Br%5D=%2B&wf%5B1%5D%5Bq%5D=&wf%5B1%5D%5Bw%5D=&wf%5B2%5D%5Br%5D=-&wf%5B2%5D%5Bq%5D=&wf%5B2%5D%5Bw%5D=&dincl=&dexcl=&geo=&doctype=&dfr%5Bu%5D=on&dfr%5Bd%5D=1&dfr%5Bm%5D=1&dfr%5By%5D=1990&dto%5Bu%5D=on&dto%5Bd%5D=16&dto%5Bm%5D=5&dto%5By%5D=1995&hits=10

Try USENET for certainty ( blocked in work ).