Return-Path: <sentto-279987-3202-1003757274-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 22 Oct 2001 06:29:08 -0700 (PDT) Received: (qmail 23396 invoked by uid 510); 22 Oct 2001 13:27:38 -0000 Received: from n35.groups.yahoo.com (216.115.96.85) by 204.181.12.215 with SMTP; 22 Oct 2001 13:27:38 -0000 X-eGroups-Return: sentto-279987-3202-1003757274-fc=all.net@returns.onelist.com Received: from [10.1.4.56] by n35.groups.yahoo.com with NNFMP; 22 Oct 2001 13:27:54 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 22 Oct 2001 13:27:54 -0000 Received: (qmail 24900 invoked from network); 22 Oct 2001 13:27:53 -0000 Received: from unknown (10.1.10.142) by l10.egroups.com with QMQP; 22 Oct 2001 13:27:53 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta3 with SMTP; 22 Oct 2001 13:27:53 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9MDS9u03259 for iwar@onelist.com; Mon, 22 Oct 2001 06:28:09 -0700 Message-Id: <200110221328.f9MDS9u03259@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Mon, 22 Oct 2001 06:28:09 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Javascript.in.IE.may.spoof.the.whole.screen] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Georgi Guninski security advisory #50, 2001 Javascript in IE may spoof the whole screen Systems affected: IE 5.5/6.0 on Windows, probably earlier versions Risk: very low (user interaction required) Date: 21 October 2001 Disclaimer: The information in this advisory is believed to be true based on experiments though it may be false. The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: This is *not* security vulnerability by itself but has some security implications. It is possible a web page containing javascript to take over the whole screen - including menus, modal dialogs, taskbar, clock, etc. This allows "spoofing" the whole screen including modal IE messages. Basically this means that a script initiated IE dialog "You are downloading malicous.exe from malicous.com - 'Open | Cancel |more info'" may be made to appear to the user: "Welcome to my new site - 'Open'" ('Cancel' is not visible and not clickable) If the user clicks on 'Open' in the spoofed context code may be executed (user interaction is required). Details: Spoofing the UI is done by window.createPopup() and popup.show() - ------------------- op=window.createPopup(); op.document.body.innerHTML="...html..."; op.show(0,0,screen.width,screen.height,document.body); ------------------- Demonstration: Image moving over download/open dialog: <a href="http://www.guninski.com/opf2.html">http://www.guninski.com/opf2.html> BSOD emulation: <a href="http://www.guninski.com/bsod1.html">http://www.guninski.com/bsod1.html> Workaround: If you consider this threat disable "active scripting" Vendor status: Microsoft was informed on 16 October 2001. Regards, Georgi Guninski <a href="http://www.guninski.com">http://www.guninski.com> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:56 PST