OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark Curphey (mcurpheyonebox.com)
Date: Sun Oct 21 2001 - 21:13:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    __________________________________________________
    FREE voicemail, email, and fax...all in one place.
    Sign Up Now! http://www.onebox.com

    attached mail follows:

    Georgi Guninski security advisory #50, 2001

    Javascript in IE may spoof the whole screen

    Systems affected:
    IE 5.5/6.0 on Windows, probably earlier versions

    Risk: very low (user interaction required)
    Date: 21 October 2001

    Disclaimer:
    The information in this advisory is believed to be true based on
    experiments though it may be false.
    The opinions expressed in this advisory and program are my own and
    not of any company. The usual standard disclaimer applies,
    especially the fact that Georgi Guninski is not liable for any damages
    caused by direct or indirect use of the information or functionality
    provided by this advisory or program. Georgi Guninski bears no
    responsibility for content or misuse of this advisory or program or
    any derivatives thereof.

    Description:

    This is *not* security vulnerability by itself but has some
    security implications.
    It is possible a web page containing javascript to take over the
    whole screen - including menus, modal dialogs, taskbar, clock, etc.
    This allows "spoofing" the whole screen including modal IE messages.
    Basically this means that a script initiated IE dialog
    "You are downloading malicous.exe from malicous.com - 'Open | Cancel |more info'"
    may be made to appear to the user:
    "Welcome to my new site - 'Open'" ('Cancel' is not visible and not clickable)
    If the user clicks on 'Open' in the spoofed context code may be executed
    (user interaction is required).

    Details:
    Spoofing the UI is done by window.createPopup() and popup.show() -
    -------------------
    op=window.createPopup();
    op.document.body.innerHTML="...html...";
    op.show(0,0,screen.width,screen.height,document.body);
    -------------------
    Demonstration:

    Image moving over download/open dialog:
    http://www.guninski.com/opf2.html
    BSOD emulation:
    http://www.guninski.com/bsod1.html

    Workaround:
    If you consider this threat disable "active scripting"

    Vendor status:
    Microsoft was informed on 16 October 2001.

    Regards,
    Georgi Guninski
    http://www.guninski.com
    ----------------------
    You may visit Guninski Security Mailing List page at
    http://www.guninski.com/mailinglist.html
    ----------------------