IE 7.0/8.0b Code Execution 0-Day Released

← Back to Stories (view on slashdot.org)

IE 7.0/8.0b Code Execution 0-Day Released

Posted by kdawson on Friday May 16, 2008 @01:45AM from the cross-zone-scripting dept.

SecureThroughObscure writes "Security blogger and researcher Nate McFeters blogged about a 0-day exploit affecting IE7 and IE8 beta on XP that was released by noted security researcher Aviv Raff. The flaw is a 'cross-zone scripting' flaw that takes advantage of the fact that printing HTML web pages occurs in the Local Machine Zone in IE rather than in the Internet Zone. Quoting McFeters's post: 'This is currently unpatched and in all of its 0-day glory, so for the time being, beware printing using the "print table of links" option when printing web pages.' McFeters and others will be presenting at Black Hat on the link between cross-site scripting and cross-zone. Rob Carter has been hitting this hard over at his blog, pointing out cross-zone weaknesses in Azureus, uTorrent, and the Eclipse platform."

22 of 131 comments (clear)

Min score:

Reason:

Sort:

0-day by Anonymous Coward · 2008-05-16 01:51 · Score: 5, Insightful

0-day? This term seems to have lots all meaning. Could we please stop using it?
1. Re:0-day by Fast+Thick+Pants · 2008-05-16 02:16 · Score: 5, Informative
  
  Zero is the answer to the question "How long has the vulnerability that this exploit exploits been patched?" I suppose you could call it a -24 since it probably won't be patched until next month's black Tuesday.
2. Re:0-day by tyler.willard · 2008-05-16 02:37 · Score: 5, Informative
  
  That's what the term seems to have mutated into, but it wasn't its original intent.
  
  The whole point of coining the term in the first place was to be able to discuss the unknown; i.e., to be able to assess the potential danger of currently unknown threats. Day-1 refers to disclosure, as such there's no way to talk about a specific 0-day because if you know what it is than it has to at least be day-1.
  
  Sure it's abstract, but it's an important concept for developing security technologies and security procedures.
  
  Between product buzzwords and the abstract nature of the term it's almost lost all meaning.
3. Re:0-day by Lincolnshire+Poacher · 2008-05-16 04:18 · Score: 5, Informative
  
  > The whole "day thing" is about the time between disclosure and patch/signature release.
  Do you have any citation for your assertion?
  The term derives from warez "0-day boards". These were populated by the most elite crackers who had cracked software on the 0th-day of release; that is, the software hit the shelves and was already cracked.
  Try doing a web search for ``0-day'' with a date threshold prior to, say, 1995. You won't find any hits for your interpretation:
  http://www.alltheweb.com/search?advanced=1&cat=web&jsact=&_stype=norm&type=all&q=%220-day%22&itag=crv&l=en&ics=utf-8&cs=iso88591&wf%5Bn%5D=3&wf%5B0%5D%5Br%5D=%2B&wf%5B0%5D%5Bq%5D=&wf%5B0%5D%5Bw%5D=&wf%5B1%5D%5Br%5D=%2B&wf%5B1%5D%5Bq%5D=&wf%5B1%5D%5Bw%5D=&wf%5B2%5D%5Br%5D=-&wf%5B2%5D%5Bq%5D=&wf%5B2%5D%5Bw%5D=&dincl=&dexcl=&geo=&doctype=&dfr%5Bu%5D=on&dfr%5Bd%5D=1&dfr%5Bm%5D=1&dfr%5By%5D=1990&dto%5Bu%5D=on&dto%5Bd%5D=16&dto%5Bm%5D=5&dto%5By%5D=1995&hits=10
  Try USENET for certainty ( blocked in work ).
4. Re:0-day by An+ominous+Cow+art · 2008-05-16 07:02 · Score: 4, Funny
  
  Yeah, the term has definitely been bricked.
A Disturbing Trend, But Not Unforeseen... by blcamp · 2008-05-16 01:51 · Score: 4, Insightful

The more complex the software releases become, the more complex and insidious the exploits of them become also.

--
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Amazing by duplicate-nickname · 2008-05-16 01:53 · Score: 5, Funny

I didn't even know that "Print table of links" was an option for printing in IE until today. My guess is that no one actually uses that feature, and this 0-day exploit affects roughly 0 people.

--
ÕÕ
1. Re:Amazing by CastrTroy · 2008-05-16 02:00 · Score: 4, Insightful
  
  Even if you did know about the feature, I'm not sure of it's usefulness. Saveing a spreadsheet of links might be useful, but printing them out? Most URLSs are pretty hard to type back in, and wouldn't be all that useful on paper. Look at the url I'm no right now.
  
  http://it.slashdot.org/comments.pl?sid=555236&op=Reply&threshold=1&commentsort=0&mode=nested&pid=23432544
  
  Why you would want that printed out on a piece of paper is beyond me. It might possibly somewhat work on a PDF printer, but even then, it's use is limited.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
2. Re:Amazing by Anonymous Coward · 2008-05-16 02:08 · Score: 5, Funny
  
  You're forgetting about another MSIE feature, a TWAIN plugin called "Scan table of links".
Proof by morgan_greywolf · 2008-05-16 01:54 · Score: 5, Insightful

This is proof of what I've said from the beginning -- the whole concept 'zones' in IE is stupid and pointless. Scripts should be allowed only what you allow them, period. You should be able to give permissions down to the individual site (ala NoScript) or even down to the individual script.

--
My blog
1. Re:Proof by ScentCone · 2008-05-16 02:02 · Score: 4, Insightful
  
  You should be able to give permissions down to the individual site (ala NoScript) or even down to the individual script.
  
  Look, for most people, the zone idea actually makes sense. Basically, don't trust ANY web site to do the tricksy stuff, but add (for example) your company's intranet to the safe zone, where it can do more desktop-ish stuff. I don't think that's such an awkward concept, and it spares people from having to think through what to allow, or not, on a site by site basis, as they surf. Most people are not this audience. And being able to enforce zone policies at the enterprise level makes a lot of sense, since average users are routinely shown to be spineless and witless: they'll add a poisonous Russian casino spam site to the safe list if that site pops up a tutorial on the steps the have to take to do so, if they want their free emoticon package.
  
  Fiddly, granular systems only work for fiddly, granular people.
  
  --
  Don't disappoint your bird dog. Go to the range.
2. Re:Proof by morgan_greywolf · 2008-05-16 02:12 · Score: 4, Insightful
  
  Pffft. So tell me-- why when I browse a site in the "Internet-zone" and then print a table of links, does that function run in the 'Local Zone'?
  
  I'll tell you why: because it has to. You can't access local devices in the Internet Zone. That's the point. Granular approaches would allow you to print without accidentally giving other permissions to something that shouldn't have them.
  
  At the enterprise level, with something like NoScript, you can just allow entire domains, say intranet.example.com or whatever your organization uses.
  
  Next thing you're gonna tell me is that you think Microsoft should do away with ACLs at the individual file level or even the directory because users are just too stupid to figure that out. They should just have "file zones" and people will just have to stick their files in the right zone. Pffft.
  
  --
  My blog
3. Re:Proof by Penguinisto · 2008-05-16 02:27 · Score: 4, Insightful
  
  Having actually used the 'Zones' concept recently on IE, I gotta say - it needs work. LOTS of work. The first time someone wants to diddle with a MySpace app and discovers that it won't work until you basically ratchet down the settings --often by hand in the advanced options--? Then couple that with the fact that many websites can pull in parts and content from multiple domains, requiring permissions to be set on each and every one? The whole thing would go out the window and the user would promptly ratchet down the whole WWW.
  The concept itself is okay, but the implementation could use a good, solid overhaul.
  /P
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
4. Re:Proof by CastrTroy · 2008-05-16 02:47 · Score: 4, Insightful
  
  And for IE the defaults allow special permissions to your entire intranet. By default all the permissions should be low. There's no reason to grant higher permissions to the entire intranet. If you need something like that set up at your organization, you should have to enable it per server, or per domain.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Usage by Wowsers · 2008-05-16 01:56 · Score: 5, Funny

People still use Internet Exploder?

--
Take Nobody's Word For It.
Irresponsible disclosure by benjymouse · 2008-05-16 02:01 · Score: 4, Interesting

The vuln. is probably real, but Aviv Raff notified Microsoft the day before he went public with a "treasure hunt" for this bug (celebrating Isreals 60th birthday); thus the fact that it's a 0day vuln. is entirely his doing. Way to go.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
1. Re:Irresponsible disclosure by reset_button · 2008-05-16 02:12 · Score: 4, Insightful
  
  Is it better to keep it secret until a patch comes out and hope that nobody else has discovered the vulnerability, or publicize it and let people know not to use this IE feature until it's patched?
Can it be triggered via javascript? by foniksonik · 2008-05-16 02:08 · Score: 4, Interesting

Can you trigger this behavior in an onload event?

If not it's a rather useless exploit other than as a prank to pull on your secretary... "Hey Sandra... can you print out a table of links for this website?"

5 minutes later "What the F***!"

"HAHAHAHAHAHAHA... I totally got you!"

--
A fool throws a stone into a well and a thousand sages can not remove it.
1. Re:Can it be triggered via javascript? by ruiner13 · 2008-05-16 02:51 · Score: 4, Informative
  
  You can certainly trigger the window.print() command in the onload, but setting the properties of the dialog to what is needed for this exploit cannot be done. VBScript may allow further printing options, but I suspect the page would first trigger the standard scripting warnings and the user would still be forced to intervene.
  
  --
  today is spelling optional day.
To view this article on one page... by Thelasko · 2008-05-16 02:13 · Score: 5, Funny

please select the printable version.

end sarcasm

--
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Re:Must we highlight every bug in IE? by makomk · 2008-05-16 03:01 · Score: 5, Informative

The Debian OpenSSL bug definitely made the Slashdot home page; you must've missed it. (It was posted on Tuesday, a couple of hours after the official announcement - that's quite fast for Slashdot. This story, on the other hand, obviously wasn't considered as important - I read about it elsewhere a day or two ago.)
No by The+MAZZTer · 2008-05-16 03:04 · Score: 4, Informative

The best you can do is window.print() to bring up the Print dialog. The user would have to select the "Print table of links" option manually and then print to any printer.