Hyperdose Security Advisory Name: Trusted Site Cross Site Scripting Elevation of Privilege in Musicmatch Systems Affected: Musicmatch v10.00.2047 or earlier (according to Yahoo v9.00.5059 and earlier are also affected) Severity: Moderate Author: Robert Fly - robfly@xxxxxxxxxxxxx Advisory URL: http://www.hyperdose.com/advisories/H2005-04.txt --MusicMatch Description-- >From Musicmatch.com, "Musicmatch Jukebox 10 is the most powerful way to find and organize your music, giving you ultimate control of your music experience." In September 04 Musicmatch was purchased by Yahoo! Inc. --Bug Details-- Upon installation of MusicMatch versions prior to 10.00.2047, the domain *.musicmatch.com is added to the Trusted Sites zone of IE. This zone runs at a very high level of privilege and since XP SP2, this zone offers the lowest security in a default install. As such, adding a domain to this zone needs extra security consideration. The most common way of taking advantage of an application setting this is through Cross Site Scripting issues. A quick check showed that there were exploitable XSS bugs in the musicmatch domain. Musicmatch in its latest release has now removed *.musicmatch.com from the Trusted Sites zone (Yahoo!) which is a smart move. They have also fixed the XSS vulnerabilities which I had previously reported to them as well. --Fix Information-- As of 3/21/05 Yahoo has released a new version which fixes this vulnerability. I have witheld vulnerability details until now so that MusicMatch automatic updates had a chance to propogate. Downloads available here: http://www.musicmatch.com/download/free/security.htm Security FAQ available here: http://www.musicmatch.com/info/user_guide/faq/security_updates.htm --About Hyperdose-- Hyperdose Security was founded to provide companies with application security knowledge through all parts of an application's security development lifecycle. We specialize in all phases of software development ranging from security design and architectural reviews, security code reviews and penetration testing. web www.hyperdose.com email robfly@xxxxxxxxxxxxx