Zalewski (lcamtuf) Strikes Again – More Vulnerabilites in IE and Firefox

The New Acunetix V12 Engine


Our Polish friend and expert security researcher, Michal Zalewski (lcamtuf), known for his endless stream of vulnerabilities in all manners of software, has struck again.

This time with some pretty serious flaws in both Internet Exploder Explorer and Firefox. This time it’s 4, 2 in IE and 2 in Firefox.

The first which effects fully patched IE6 and IE7 is pretty serious and can result in cookie theft, cooking setting, page hijacking or memory corruption.

It’s based on a page update Race Condition (aka bait and switch vuln).

When Javascript code instructs MSIE6/7 to navigate away from a page that meets same-domain origin policy (and hence can be scriptually accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed Javascript to perform actions with the permissions for the old page, but actual content for the newly loaded page

The demo can be found here:

http://lcamtuf.coredump.cx/ierace/

The more serious of the two Firefox flaws is marked MAJOR and not CRITICAL and deals with the way the browser handles IFRAMEs (Cross-site IFRAME hijacking)

Javascript can be used to inject malicious code, including key-snooping event handlers, on pages that rely on IFRAMEs to display contents or store state data / communicate with the server.

A demo can be found here:

http://lcamtuf.coredump.cx/ifsnatch/

The full e-mail with details of his vulnerabilities can be found here:

[Full-disclosure] Assorted browser vulnerabilities

You can also read more at The Register or eWeek.

Posted in: Exploits/Vulnerabilities, Windows Hacking

, , , , , ,


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


4 Responses to Zalewski (lcamtuf) Strikes Again – More Vulnerabilites in IE and Firefox

  1. Daniel June 6, 2007 at 6:10 am #

    I really do think that as all the bugs are being shaken out of firefox and ie and out of OS’es that the exploit of the future will be in scripting languages.

  2. backbone June 6, 2007 at 4:32 pm #

    well you cannot consider script exploits so damage full, there are ment just for cookie stealing, session hijacking and so…. and os’es don’t phuck at this kind of job… ;)

  3. therealdonquixote June 7, 2007 at 12:29 pm #

    The FireFox vulns are pretty easy to avoid. For about:blank, limit what JS can do in your prefs under “advanced”. Don’t forget to have pop-ups blocked as well. Then use the extension TabmixPlus to force all javascript pop-ups to open in a new tab. As a bit of added security you can also have AdBlock Plus as an extension as well. Basically this kills the pop-under before it can load.

    As for the iFrame vuln. This is a pretty easy one to deal with cause every webmaster on earth knows that the world hates iFrames, so they are kinda rare, which makes the following less annoying. Write a simple filter blocking iFrames with AdBlockPlus. You can always unblock them if you see that the site is secure. I keep an eye on what code is okey dokey and whats naughty with FireBug, good for spotting XSS before you walk into it. You could write a greasemonkey script to do the same, but that would be alot of work and a real pain in the ass. Plus I really don’t like greasemonkey, don’t know why.

    If you don’t mind being nagged to death you can just keep the following extensions running all the time:
    NoScript
    Cookie Safe
    Flashblock
    -all nag all the time
    on top of
    AdBlockPlus – just nice to have really
    TabMixPlus – purely to force those JS popups into tabs
    FireBug – Also handy for ripping code or finding the actual locale of that video you want to rip off the web.

    That set up will keep you safe as long as you only allow JS, Cookies and Flash from sites that you know you can trust.

    I like my little tricks better though.

    As for OS vulns, move to Linux. Its safer and just plain kewl.

  4. thefakedonquixote June 8, 2007 at 9:51 am #

    AdBlockPlus does not serve any security purpose. It’s just an annoyance blocker, nice to have if you hate ads. Same for FlashBlock.

    NoScript is the only must have, and it doesn’t “nag all the time”: actually, it’s quite discreet, you notice it only when some retard web designer forgets to code a no-JavaScript fallback.

    In the meanwhile, it guards navigation against XSS in a much more convenient and effective way than “keep an eye on what code is okey dokey and whats naughty with FireBug, good for spotting XSS before you walk into it” 8)