A security firm warned Tuesday that two versions of Microsoft’s ubiquitous Internet Explorer host a serious flaw that make it possible for attackers to steal cookies from Web sites, forge content, read local files and execute arbitrary programs on a user’s PC.
The flaw, as discovered by Israel’s GreyMagic Software, is endemic to IE versions 5.5. and 6.0. However, any application that uses IE’s engine WebBrowser control is affected as well, including Outlook and MSN Explorer.
“It is rated very severe as it defeats all the basic protections set forth by IE and allows access and some execution rights to local content,” Lee Dagon, head of research and development at GreyMagic, told internetnews.com. “An attacker may be able to read private documents, the Windows password .DAT file, make your Amazon “buy in one click” click anything the attacker chooses, and even get access to credit card information in SSL-protected sites.”
The security software firm said the root of the problem lies with the frame and iframe elements, which may contain URLs in other domains or protocols, and therefore have strict security rules, which prevent frames in one domain from accessing content and information in another.
However, while GreyMagic noted that there are many ways to refer to an iframe, frame document in Internet Explorer, they are really instances of the WebBrowser control supplied by Microsoft. It is this WebBrowser control that exposes several potentially dangerous properties by default, which Microsoft overrides in Internet Explorer.
“Microsoft missed out on one important property — “Document”, with a capital “D”,” GreyMagic said in a new security bulletin.
The company explained further: “Normally, using “oElement.document” would provide a reference to the document that owns the current element. The same applies to the frame and iframe elements. However, we discovered that when “oIFrameElement.Document” is used, the returned document is the one contained inside the frame, and there are no security restrictions in place to check if it’s in a different domain.”
GreyMagic said this provides full access to the frame’s Document Object Model, which allows an attacker gain access to a person’s PC to perform the aforementioned sinister duties.
The security firm said Internet Explorer 5.5 SP2 and Internet Explorer 6 are vulnerable, although the vulnerability does not exist in IE6 SP1. GreyMagic advised users to either disable Active Scripting or upgrade to IE6 SP1 until Microsoft issues a fix.
Microsoft did not respond to queries as of press time.