The Israeli security firm GreyMagic recently sent me a note describing the 11th vulnerability its researchers have found in Microsoft’s Internet Explorer, and this one is a really strange threat because it applies only when a particular property (Document) is spelled with an initial capital D. Thus, it has been dubbed the D-Day vulnerability.
GreyMagic has broken news of vulnerabilities before and has done a good job pinpointing some serious problems. In this instance, the firm reports that simply visiting a Web page or opening an e-mail message with one of the vulnerable versions of IE can expose users to:
- Local file reading on the user's system.
- Execution of any program available on the system.
- Cookie reading from any site.
- Web site forging (which makes an attacker's site look like it is a trusted site).
The day it notified me about the issue—October 15—GreyMagic posted its Security Advisory GM#011-IE on NTBugtraq. GreyMagic said that between September 26 and the day it sent us the notification, the company tested various programs and developed its proof-of-concept to validate the discovery. It notified Microsoft of the problem at the same time it notified me and posted its advisory.
Regarding the common practice of notifying Microsoft before warning clients and the press, a GreyMagic spokesperson said, “After quite a few experiences with the [Microsoft Security Response Center], we know that a week or two would make no difference as far as Microsoft is concerned. They take months and months to patch the issues.”
According to data sent to me by the company, it has typically taken Microsoft from three to six months to patch vulnerabilities reported to them by GreyMagic. The firm closed its comments to me by saying, “We’d rather warn customers early than give a 'formal' grace period to Microsoft.”
GM#011-IE provides links to several proof-of-concept demonstrations, including a demo showing how to read someone’s Google.com cookie.
Iframe and frame elements in the WebBrowser control often contain URLs for other Web sites, and most times, strict security controls manage these potential cross-scripting threats. The problem GreyMagic discovered lies in just one property, Document, which isn’t properly protected in several versions of IE (as specified below under Applicability).
What this means is that, for example, oElement.document provides a link to the current element, but oIFrameElement.Document will return the frame element with no security check to see whether it is coming from a different domain.
This is explained in some detail in the GreyMagic Security Advisory, but the key phrase in the advisory is, “This provides free and full access to the frame's Document Object Model,” making it possible for an attacker to read cookies and other local files or even run programs on the vulnerable system in the My Computer zone.
See Microsoft’s report for a brief explanation of cross-frame scripting security.
Versions of IE 5.5 are not vulnerable to this threat. IE 5.5 with Service Pack 2 installed and IE 6 without SP1 installed are both vulnerable, but according to GreyMagic’s report, “Surprisingly, this vulnerability does not exist in IE6 SP1. It's hard to believe that Microsoft actually meant to plug it, [since] IE5.5 remains vulnerable, yet somehow this stray property has been covered in [IE6 SP1].”
GreyMagic reports successfully testing this vulnerability on IE 5.5 running on Win98 and NT4, as well as IE6 running on Win98, Win2K, and XP. In addition, GreyMagic points out that this would affect any application using IE’s WebBrowser control, such as Microsoft Outlook.
Although GreyMagic doesn’t post such ratings, and Microsoft hadn’t responded to this report at the time of this writing, I would rate this as a critical vulnerability, one that needs to be dealt with quickly. Fortunately, the fix is relatively easy.
Disable Active Scripting or upgrade to IE 6 and install SP1.
The statistics I collect at one of my own Web sites show that nearly 48 percent of visitors are using IE 6 and 44 percent are running IE 5.5, although I don’t have any way of tracking which have applied service packs or patches. Nevertheless, this shows that a lot of people are using the versions of IE that have this vulnerability.
Interestingly enough, based on my site statistics, even people running old operating systems such as Windows 98 are running newer versions of IE, which surprised me. I would have guessed that those who haven't upgraded their base OS probably haven't updated their browser either—but apparently that’s not the case. At any rate, it's clear that this flaw threatens a lot of systems.