Re: Major Internet Explorer Vulnerability - NOT Patched

[Dan Ballance <tzewang.dorje () gmail com>]

Does anyone know if Microsoft have patched this yet?

On Wed Feb 04 2015 at 09:05:26 David Leo <david.leo () deusen co uk> wrote:

> Microsoft was notified on Oct 13, 2014.
>
> Joey thank you very much for your words.
>
> Kind Regards,
>
> On 2015/2/3 4:53, Joey Fowler wrote:
> > Hi David,
> >
> > "nice" is an understatement here.
> >
> > I've done some testing with this one and, while there /are/ quirks, it
> most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.
> > As long as the page(s) being framed don't contain X-Frame-Options
> headers (with `deny` or `same-origin` values), it executes successfully.
> Pending the payload being injected, most Content Security Policies are also
> bypassed (by injecting HTML instead of JavaScript, that is).
> > It looks like, through this method, all viable XSS tactics are open!
> >
> > Nice find!
> >
> > Has this been reported to Microsoft outside (or within) this thread?
> >
> > --
> > Joey Fowler
> > Senior Security Engineer, Tumblr
> >
> >
> >
> > On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo () deusen co uk
> <mailto:david.leo () deusen co uk>> wrote:
> >     Deusen just published code and description here:
> >     http://www.deusen.co.uk/items/__insider3show.3362009741042107/ <
> http://www.deusen.co.uk/items/insider3show.3362009741042107/>
> >     which demonstrates the serious security issue.
> >
> >     Summary
> >     An Internet Explorer vulnerability is shown here:
> >     Content of dailymail.co.uk <http://dailymail.co.uk> can be changed
> by external domain.
> >     How To Use
> >     1. Close the popup window("confirm" dialog) after three seconds.
> >     2. Click "Go".
> >     3. After 7 seconds, "Hacked by Deusen" is actively injected into
> dailymail.co.uk <http://dailymail.co.uk>.
> >     Technical Details
> >     Vulnerability: Universal Cross Site Scripting(XSS)
> >     Impact: Same Origin Policy(SOP) is completely bypassed
> >     Attack: Attackers can steal anything from another domain, and inject
> anything into another domain
> >     Tested: Jan/29/2015 Internet Explorer 11 Windows 7
> >
> >     If you like it, please reply "nice".
> >
> >     Kind Regards,
> >
> >
> >     _________________________________________________
> >     Sent through the Full Disclosure mailing list
> >     https://nmap.org/mailman/__listinfo/fulldisclosure <
> https://nmap.org/mailman/listinfo/fulldisclosure>
> >     Web Archives & RSS: http://seclists.org/__fulldisclosure/ <
> http://seclists.org/fulldisclosure/>
> >
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/