RE: SUPER SPOOF DELUXE Re: Microsoft and Security

["http-equiv () excite com" <1 () malware com>]

Yes of course.

Two tiny problems though:

1. your little scriplet doesn't work for me. I get:

'W.frames.2.location' is null or not an object

2. If as you claim this is "standard practice" then there is 
something wrong with these browsers as it apparently does not 
work on them:

The following browsers are not affected:
* Mozilla Firefox 0.9 for Windows
* Mozilla Firefox 0.9.1 for Windows
* Mozilla 1.7 for Windows
* Mozilla 1.7 for Linux

http://secunia.com/advisories/11978/

Perhaps someone who really knows will enlighten us all.

Thor Larholm <thor () pivx com> said:

> > From: http-equiv () excite com [mailto:1 () malware com] 
>
> Your subject makes it sound like this is a spoofing 
vulnerability when
> in fact this is expected functionality that has been around 
since
> Netscape 2 and IE3 which does not grant additional privileges 
of any
> kind and requires the user to activate WindowsUpdate from your 
site.
> > Here's a quick and dirty demo injecting malware.com into 
> > windowsupdate.microsoft.com :)
> > http://www.malware.com/targutted.html 
>
> Your script opens a new window and then uses a timer to change 
the
> location of whatever window object has focus. This does not 
switch
> security zone or even protocol, all it does is to load your 
site into a
> subframe of another site. You can accomplish the exact same 
without
> trying to 'trick' anything by using the following 2 lines:
>
> W=window.open("http://v4.windowsupdate.microsoft.com";);
> W.frames[2].location.href = "http://pivx.com/";;
>
> This is no different than loading WindowsUpdate in a frame on 
your own
> site.
>
> It has always been standard practice that you can change, but 
not read,
> the location of any window object to a site from the same 
protocol and
> security zone. A frame is a window object and all window 
objects are
> safely exposed because they by themselves does not reveal any
> information about the site inside the frame. You can get a 
handle of any
> window object to any depth because the frames collection is 
also safely
> exposed. This does not give you any kind of access to the 
document
> object inside, which would be necessary for any kind of code 
injection
> or cookie theft.
>
>
>
>
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 23 Corporate Plaza #280
> Newport Beach, CA 92660
> http://www.pivx.com
> thor () pivx com
> Stock symbol: (PIVX.OB)
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines a new genre in Desktop Security: Proactive Threat
> Mitigation. 
> <http://www.pivx.com/qwikfix>
> -----Original Message-----
> From: http-equiv () excite com [mailto:1 () malware com] 
> Sent: Tuesday, June 29, 2004 11:41 AM
> To: bugtraq () securityfocus com
> Cc: NTBugtraq () listserv ntbugtraq com
> Subject: SUPER SPOOF DELUXE Re: [Full-disclosure] Microsoft 
and Security
> Thomas Kessler was kind enough to inform that this is not new, 
but in
> fact on old "issue" with Internet Explorer which by all 
accounts was
> supposed to be "patched" back in 1998[?]:
>
> Microsoft Security Program: Microsoft Security Bulletin (MS98-
> 020) Patch Available for 'Frame Spoof' Vulnerability
>
> http://www.microsoft.com/technet/security/bulletin/ms98-
020.mspx
> Quite clearly this contraption known as Internet Explorer is 
just
> broken. It's oozing pus from every pore at this stage.
>
> If indeed the issues are the exact same. 
>
> You'd better wipe hands of it anyway.
>
> We give up.
>
> --
> http://www.malware.com



-- 
http://www.malware.com




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html