An unpatched cross-domain vulnerability in Microsoft’s flagship Internet Explorer browser could expose Windows users to cookie hijacks and credentials theft attacks, according to a warning from security researchers.
The zero-day flaw, which has been reported to Microsoft, is a variation of Eduardo Vela’s IE Ghost Busters talk:
Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move.
No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts.
Details of the new variation have been posted online by the Ph4nt0m Security Team (translation here).
It affects Internet Explorer 6 on Windows XP SP2 and SP3. The new IE 7 browser is not affected because Microsoft changed the way Javascript protocol URLs are handled to prevent these types of attacks.
Security researcher Aviv Raff has created a test page that confirms the attack vector in IE 6. This screenshot shows a script loaded in one domain (raffon.net) showing a cookie of a different domain (google.com):
In the absence of a patch, IE users are strongly encouraged to upgrade to IE 7. Or, as always, consider using an alternative browser.
UPDATE: An alert from US-CERT spells out the risks:
This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. This could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials.
Secunia rates this a moderately critical issue.
