mailing list archives
Re: Phishing using IE7 local resource vulnerability
From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Thu, 15 Mar 2007 14:46:16 -0700
On 3/15/07, avivra <avivra () gmail com> wrote:
Protected Mode and UAC are different security features.
But even though, it is possible to access local resource ("res://") links
with Protected Mode and UAC features enabled. You can test it yourself here:
http://www.raffon.net/research/ms/ie/navcancl/cnn.html or watch the demo
video here: http://raffon.net/videos/ie7navcancl.wmv.
The only way to mitigate this vulnerability by an out-of-the-box security
feature is to set the security level of the "Internet Zone" to "High". This
"Refresh the page." link in the navcancl.htm local resource page.
But, I doubt anyone will do that when they can simply just avoid clicking
any link in the "Navigation Canceled" page.
On XP SP2 (and probably Vista), you can block the exploitation of this
by disabling script execution for the res:// scheme specifically.
Note that I didn't try blocking the specific resource involved in the
If you attempt to add "res://*" or "res://ieframe.dll/navcancl.htm" to
the Restricted Sites zone, this results in an entry for
"about:internet" being added. After doing this, the "Refresh the
page" text is no longer a clickable link. Removing the
"about:internet" entry reverses the change. It seems that making this
change blocks scripts in ANY resource, even without the wildcard.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/