Cross-Frame, About Pluggable Protocol, Security Zone Spoofing Class: Failure to Handle Exceptional Conditions Remote: Yes Local: Yes Found: November 27,2001 Severity: Mild Vulnerable: IE 6.0.2600.0000 + Windows 2000 Update Versions: Q312461 IE 5.50.4134.0100 Update Versions: q269368 + Windows ME Discussion: By appending merely a percent sign after an about url which has opened in a window you can access some elements of the previous document's document object model. What this means is that you can run script in the security context of "My Computer" or "Trust Sites" and can embed iframes (text/x-scriptlet objects) from varying domains and protocols while the Security Zone still reads "My Computer" or "Trusted Sites". The limitations in this exploit are from the about pluggable protocols security restrictions and security restrictions on embedded objects within this protocol (if you have the latest patches). Exploits: http://www.osioniusx.com "trustedSites.html" - Opens an about page in a trusted zone and navigates to a javascript url while remaining in the Trusted Zone. "Domains.html" - Opens two remote sites up in iframes while remaining in the My Computer Zone (instead of mixed). You could just as well open up .hta, .vbs, even .bat files in this manner. "MyComputer.html" - Opens about page in My Computer zone and navigates to a javascript url. Potential Solution: Minor fix on about pluggable protocol. Note: Word needs to get out all users that they need to update their browsers to the latest fixes at all times. I would like to see this automated in future versions of IE. Vendor Status: Emailed to "Secure@microsoft.com". __________________________________________________ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com
