A vulnerability researcher working at CoreLabs, the research arm of Core Security Technologies, discovered that when affected versions of Internet Explorer are used to access an external website the browser may not apply the appropriate security permissions and allow unknown sites or applications to be treated as trusted URLs.
CoreLabs claimed that this could potentially lead to malicious or infected URLs remotely executing scripts on systems running the affected versions of IE, via either drive-by or downloaded attacks, without the end-user's knowledge or permission to do so.
The vulnerability was discovered as part of CoreLabs' ongoing research efforts, with the flaw specifically affecting IE versions 5, 6 and 7 under Windows 2000/2003/XP and Vista. Although it is present, the vulnerability cannot be exploited when a vulnerable version of IE is used in ‘Protected Mode'. CoreLabs also claimed that this has been fixed for the released version of IE8.
Internet Explorer users can assign specific websites or domains to any of the available zones except for the local machine zone. The ability for a given website to perform security-sensitive operations on the web browser is determined by the Security Level of the zone to which the site was assigned. Each zone can be set to one Security Level out of three available pre-sets (medium, medium-high or high) or one customised by the user or system administrator.
CoreLabs research shows that in some cases, a malicious website may leverage a vulnerability and a combination of security weaknesses in the affected versions of Internet Explorer to bypass Security Zone restrictions. It does this by first serving HTML content that IE will cache in known locations in the user's computer, and then redirecting the browser to load it from the local file system and render it as HTML.
In this manner, arbitrary content provided by a potentially malicious site would be able to run scripting code or ActiveX controls on vulnerable browsers and gain read access to any file stored in the user's computer.
Exploitation of the vulnerability allows an attacker to retrieve security and privacy-sensitive data such as authentication credentials, HTTP cookies and other details of HTTP session state, as well as the contents of any local file. To successfully execute an attack, the attacker must either obtain or guess the username of the user visiting the website that delivers the exploit in order to predict the exact pathname to the cached content. In that context, lack of egress filtering for SMB connections, username leakage flaws, or simple brute forcing of known usernames can facilitate attacks.
Ivan Arce, CTO of Core Security Technologies, said: “This is a tangible threat to millions of individuals and organisations that use Internet Explorer to browse the web, and the discovery of this vulnerability in IE highlights the reality that no vendor is immune to the perils of client application security.
“This issue also illustrates the fact that a group of seemingly unrelated weaknesses can be combined to construct attacks that are effective beyond the narrow scope of exploiting just a single bug. Likewise, the available workarounds show that, beyond simply deploying patches, a combination of security defences and mitigation strategies can effectively prevent attacks.”
See original article on scmagazineuk.com