Executive Summary

Summary
Title Microsoft Internet Explorer fails to properly restrict access to frames
Informations
Name VU#516627 First vendor Publication 2008-06-27
Vendor VU-CERT Last vendor Modification 2008-07-15
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#516627

Microsoft Internet Explorer fails to properly restrict access to frames

Overview

Microsoft Internet Explorer fails to properly restrict access to a document's frames, which may allow an attacker to modify the contents of frames in a different domain.

I. Description

Frames in HTML documents are subdivisions of the current window. The most common use of frames in web pages is the IFRAME, or inline frame. IFRAMEs can be used to display content from a different domain within the physical representation of the current web page. A common example of the use of an IFRAME in a web page is to display a banner advertisement from a third party.

Microsoft Internet Explorer fails to properly restrict access to a document's frames. This can allow an attacker to replace the contents of a web page's frame with arbitrary content. Internet Explorer still appears to enforce the cross-domain security model, which limits the actions that a malicious frame can take with the parent document. For example, a frame that exists in a different domain should not be able to access the parent document's cookies or HTML content, or other domain-specific DOM components. However, components that are not tied to a specific domain, such as the onmousedown event can be accessed. By monitoring this particular event, an IFRAME can capture keystrokes from the parent document. Other actions may be possible.

Limited testing has shown that Internet Explorer 6, 7, and 8 beta 1 are vulnerable. Proof-of-concept code for this vulnerability is publicly available.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker may be able to access non-domain-specific elements from a web page that exists in a different domain. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page in a different domain.

III. Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:


Disable Active Scripting

This vulnerability can be mitigated by disabling Active Scripting in the Internet Zone, as specified in the "Securing Your Web Browser" document.

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable27-Jun-2008

References


http://www.gnucitizen.org/blog/ghost-busters/
http://sirdarckcat.blogspot.com/2008/05/ghosts-for-ie8-and-ie75730.html
http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html
http://secunia.com/advisories/30851/
http://www.w3.org/TR/REC-html40/present/frames.html
http://msdn.microsoft.com/en-us/library/ms537026(VS.85).aspx

Credit

This vulnerability was publicly disclosed by Eduardo Vela.

This document was written by Will Dormann.

Other Information

Date Public05/12/2008
Date First Published06/27/2008 09:03:16 AM
Date Last Updated07/15/2008
CERT Advisory 
CVE Name 
US-CERT Technical Alerts 
Metric21.87
Document Revision4

Original Source

Url : http://www.kb.cert.org/vuls/id/516627

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3

Open Source Vulnerability Database (OSVDB)

Id Description
46631 Microsoft IE Frame Location Handling Cross-frame Content Manipulation