Executive Summary

Title Microsoft Internet Explorer cross-domain frame race condition
Name VU#471361 First vendor Publication 2007-06-05
Vendor VU-CERT Last vendor Modification 2007-06-07
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.1 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#471361

Microsoft Internet Explorer cross-domain frame race condition


Microsoft Internet Explorer contains a race condition that results in a cross-domain violation.

I. Description

Internet Explorer uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Internet Security Manager Object determines which zone or domain a URL exists in and what actions can be performed.

A race condition in Internet Explorer may allow an attacker to evade the cross-domain security model. Note that Internet Explorer 6 and Internet Explorer 7 are affected by this vulnerability.

II. Impact

A website in one domain has the ability to access information in another domain. The website may also be able to execute scripts or take other actions that are permitted in the other domain.

III. Solution

We are currently unaware of a practical solution to this problem.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Use caution when clicking on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases.

Disable Javascript

Disabling Javascript may mitigate this vulnerability. Instructions for disabling javascript can be found in the Securing Your Web Browser document.

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable5-Jun-2007




This issue was reported by Michal Zalewski on the Full-Disclosure mailing list.

This document was written by Ryan Giobbi.

Other Information

Date Public06/04/2007
Date First Published06/05/2007 09:24:29 AM
Date Last Updated06/07/2007
CERT Advisory 
CVE Name 
Document Revision13

Original Source

Url : http://www.kb.cert.org/vuls/id/471361

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-362 Race Condition

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:6041
Oval ID: oval:org.mitre.oval:def:6041
Title: Race Condition Cross-Domain Information Disclosure Vulnerability
Description: Race condition in Microsoft Internet Explorer 6 SP1; 6 and 7 for Windows XP SP2 and SP3; 6 and 7 for Server 2003 SP2; 7 for Vista Gold, SP1, and SP2; and 7 for Server 2008 SP2 allows remote attackers to execute arbitrary code or perform other actions upon a page transition, with the permissions of the old page and the content of the new page, as demonstrated by setInterval functions that set location.href within a try/catch expression, aka the "bait & switch vulnerability" or "Race Condition Cross-Domain Information Disclosure Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2007-3091
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:

CPE : Common Platform Enumeration

Application 3
Os 1
Os 6
Os 5
Os 5
Os 3

OpenVAS Exploits

Date Description
2009-06-15 Name : Ubuntu USN-785-1 (ipsec-tools)
File : nvt/ubuntu_785_1.nasl
2009-06-10 Name : Cumulative Security Update for Internet Explorer (969897)
File : nvt/secpod_ms09-019.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
54944 Microsoft IE Race Condition Cross-Domain Information Disclosure

38497 Microsoft IE Page Transaction Race Condition Arbitrary Code Execution

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Internet Explorer Javascript Page update race condition attempt
RuleID : 16010 - Revision : 9 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer cross-domain navigation cookie stealing attempt
RuleID : 15529 - Revision : 9 - Type : BROWSER-IE

Nessus® Vulnerability Scanner

Date Description
2009-06-10 Name : Arbitrary code can be executed on the remote host through a web browser.
File : smb_nt_ms09-019.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
Date Informations
2015-05-08 13:28:04
  • Multiple Updates