mailing list archives
Re: Phishing using IE7 local resource vulnerability
From: "avivra" <avivra () gmail com>
Date: Fri, 16 Mar 2007 00:03:31 +0200
Indeed. This should work, as "Restricted Sites Zone" is in "High" security
level by default.
To correct myself, I meant that this was the only way _I can think of_ to
mitigate this vulnerability using an out-of-the-box security feature.
From: mattmurphy531 () gmail com [mailto:mattmurphy531 () gmail com] On Behalf Of
Sent: Thursday, March 15, 2007 11:46 PM
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Phishing using IE7 local resource
On 3/15/07, avivra <avivra () gmail com> wrote:
Protected Mode and UAC are different security features.
But even though, it is possible to access local resource ("res://") links
with Protected Mode and UAC features enabled. You can test it yourself
http://www.raffon.net/research/ms/ie/navcancl/cnn.html or watch the demo
video here: http://raffon.net/videos/ie7navcancl.wmv.
The only way to mitigate this vulnerability by an out-of-the-box security
feature is to set the security level of the "Internet Zone" to "High".
"Refresh the page." link in the navcancl.htm local resource page.
But, I doubt anyone will do that when they can simply just avoid clicking
any link in the "Navigation Canceled" page.
On XP SP2 (and probably Vista), you can block the exploitation of this
by disabling script execution for the res:// scheme specifically.
Note that I didn't try blocking the specific resource involved in the
If you attempt to add "res://*" or "res://ieframe.dll/navcancl.htm" to
the Restricted Sites zone, this results in an entry for
"about:internet" being added. After doing this, the "Refresh the
page" text is no longer a clickable link. Removing the
"about:internet" entry reverses the change. It seems that making this
change blocks scripts in ANY resource, even without the wildcard.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/