IE 6 Privacy Features Open Users To Attack - Expert

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/176077.html

By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
23 Apr 2002, 12:47 PM CST
 
Security flaws in privacy features added to Microsoft's Web browser
could enable attackers to perform several privacy-robbing attacks,
including hijacking victims' MSN Messenger accounts, a security
researcher warned.

According to Thor Larholm, a developer with Denmark-based Internet
portal Jubii.dk, "severe" bugs in the "Privacy Report" feature in
Internet Explorer version 6 can be exploited "in effect removing all
privacy."
 
Last week, Larholm posted an advisory and harmless demonstrations of
the flaws at his personal Web site. One example showed how the browser
bugs enable a Web site to launch programs that exist on the user's
hard disk. Another demo page silently sends a message to users in the
target's MSN Messenger contact list.

"Hello, my MSN has just been h4><0r3d. However, this is nothing
to be worried about. Your MSN is fine. The person who sent this would
probably like a reply though, to show that it worked," read the
instant message transmitted by Larholm's demonstration.

Larholm said the IE flaws also enable an attacker to steal a victim's
browser cookies. Cookie files are sometimes used by the browser to
authenticate users and allow them to access sites. Larholm did not
provide a demonstration of the cookie-stealing exploit.

According to Larholm, he notified Microsoft about the IE
vulnerabilities on March 18. The researcher said he decided to
publicize his findings because he felt Microsoft was not giving the
flaws proper consideration.

"After a month, they are still only at a stage where they are
considering whether to patch it," said Larholm in an interview today.

A Microsoft representative said the company was still investigating
the issue and declined further comment.

Larholm said the security flaws lie in an IE feature for creating
dialog windows. The browser fails to perform proper validation
checking when a privacy dialog window interacts with a remote site, he
said.

By clicking an icon in the browser's status bar, IE 6 users can view a
privacy report when they visit a site. The report enables users to
control how the browser handles cookies from the site and to view its
privacy policy.

Disabling IE's use of JavaScript prevents the flaws from being
exploitable, according to Larholm.

In response to Larholm's advisory, GreyMagic Software of Israel said
it found similar dialog-related flaws in another IE resource named
Analyze.dlg. According to GreyMagic, earlier versions of Microsoft's
browser, including IE 5 and IE 5.5, as well as IE 6, are vulnerable to
the attack.

Larholm's advisory is at /

GreyMagic's advisory is at /

Microsoft's description of privacy features in IE is at
http://www.microsoft.com/windows/ie/evaluation/overview/privacy.asp



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.