Friday, October 27, 2006

All IE 7 and Firefox 2 Vulnerabilities as of date.


  • Internet Explorer 7 "mhtml:" Redirection Information Disclosure
First one that stands out is the outlook express vulnerability which uses IE7. It was traced back to nov.2003. So that means it is an old issue which has still not been adressed properly. The flaw actually lies in Outlook Express. Microsoft is still investigating the issue. Even though the flaw lies with the outlook express and the older versions of explorer like IE6 have been facing this issue a lot of attention has been drawn to these with the launch of IE7.

The vulnerability apparently involves a very simple trick where a call to a MIME HTML, or MHTML, resource can trigger the running of an executable file, even with high-level security settings. Secunia rates this problem as "less critical," perhaps mainly because this is a trigger mechanism rather than a full-scale virus or Trojan. Conceivably, however, it could be utilized by malicious users within a more complete malware setup. The impact is exposure of sensitive information according to Secunia. The vulnerability is caused due to an error in the handling of redirections for URLs with the "mhtml:" URI handler. This can be exploited to access documents served from another web site.

Microsoft responded to reports of the first exploit affecting Internet Explorer 7, which cropped up less than 24 hours after the browser's official launch. Christopher Budd from Microsoft's Security Response Center says the flaw lies not in IE7, but in an Outlook Express component.

Secunia has confirmed the vulnerability on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2. Other versions may also be affected.

Even if this vulnerability is not directly related to IE7, the security company Secunia does not exclude IE7. Secunia CTO Thomas Kristensen held true to his company's stance that the exploit is attributable to Microsoft's new Web browser. He says that "Microsoft claims the recent IE7 vulnerability is an Outlook Express vulnerability," begins Kristensen's statement to us. "This may be true, from an organizational point of view within Microsoft. However, the vulnerability is fully exploitable via IE, which is the primary attack vector, if not the only attack vector."

  • Internet Explorer 7 Popup Address Bar Spoofing Weakness

This spoofing issue uncovered by an anonymous discloser which was tested by the security firm Secunia and is categorized as less critical appears to be the first genuine, publicly disclosed flaw in the new Microsoft browser. The outlook express issue is a different story since according to microsoft it is not an IE7 vulnerability and as far as Secunia goes since the vulnerability is fully exploitable via IE they won't exclude IE7 from that. SO that issue is entirely upto to the users to whether take it as IE vulnerability or the outlook one. But this one without doubt points directly to IE 7.

The issue occurs in popup windows. It is possible to display a somewhat spoofed address bar, the company said. According to Secunia the problem is that it's possible to display a popup with a somewhat spoofed address bar where a number of special characters have been appended to the URL. This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions.An attacker could exploit this weakness to trick people into believing they are on a trusted Web site when in fact they are viewing a malicious page, Secunia said in an alert.

According to an email statement issued by a Microsoft representative to Zdnet the problem lies in the way Web addresses are displayed in the IE 7 address bar. An attacker could exploit the issue by tricking a user to click on a specially formatted link, the representative said.

However, an attack won't work if a Web site is known to be part of a phishing scam since the IE 7 phishing shield will identify such sites and warn the user. And so far Microsoft is not aware of any attacks that actually use the reported vulnerability, the company said.

This issue is currently under investigation by Microsoft and they have said that once it is completed they will take the appropriate steps to protect it's customers.

However George Ou in his blog gives a solution..he says "The address bar spoofing weakness against IE7 happens when a small popup is spawned and a URL shows up with trailing spaces. The trailing spaces pushed the URL to the left and partially out of site which hides the actual domain and shows you a fake domain. If you click anywhere on the popup page or click on the background window, the left side of the URL and the actual domain name is revealed but the initial spoofing condition might be useful in a phishing attack to the unsuspecting user. This condition is repeatable when you click on the address bar and that is probably what is being exploited since the popup first shows up with the address bar in focus. The possible solution to this would be to strip out the trailing spaces (since spaces aren't supported in URLs anyways) when popping up browser windows or not allow it to start with the address bar in focus."

I hope they do take the necessary actions before these less critical issues are massively exploited by some of the malicious minds out there. No wonder it is reported that microsoft has chided the anonymous disclosure because it prefers that security issues be disclosed privately so it can repair them before they get publicly known.

Outlook express issue sources:-
Secunia's related info.
Zdnet's related article.

Spoofing issue
Zdnet's related article.
Secunia's related info.
George Ou's article

Also talking about IE7 I thought I would share this article titled "Is Internet Explorer 7 spying on me?" which i saw at the DCoT blog. Take a look at it here. It is interesting to read not just the article but there is a good discussion going about it in the comments area. As far as the debate about the browsers go I personally feel that both has it's own advantages and I use both.


Now on the other end Mozilla's Firefox is having it's share of security issues and along with the glory it's getting tainted with it's own security issues. Here goes:-

  • Issues brought up by Bugtraq:

First issue was again surprisingly in this case had something to do with mails. Bug tracking mailing lists have been talking about a flaw affecting the just released Firefox 2. Even though Bugtraq called the condition critical Mozilla's security chief Window Snyder insisted the report is wrong and that the problem was already "fixed". And Secunia which has reported both the IE7 issues has listed this issue as affected by zero Secunia advisiories.

Actually it all started when Bugtraq mailing list reported that the issue, labeled "critical" by Mozilla, resurfaced in Firefox 2. But Mozilla says the Firefox bug was considered critical and "fixed" last month.

Crash condition:

Window Snyder admitted a crash condition remained. "The exploitable issues are fixed. There is a crash, but it is a denial of service," Snyder said. "We're going to look at it and make sure there is really nothing there."

George Ou says in his zdnet blog that "any kind of flaw that can cause an application to crash has to be alarming because it might be exploitable. It sounds like some modifications were made to make the exploit condition less exploitable but a crash condition still exists." And he goes on "this may or may not still be a serious flaw since the exploit still crashes Firefox 2.0. At some point Mozilla would have to admit this is a problem and really fix it so that the browser doesn't crash at all."

Cyberscams issue:

Another report on the Full Disclosure mailing list suggested that there is a flaw in Firefox 2 that could be exploited to aid in cyberscams. The report included some computer code, but not enough for Mozilla to determine whether there is a problem, Snyder said.

"We don't have enough information to identify it. If we get more information, then we will investigate," she said.

Two old issues still unpatched on FireFox:

There are still two 2 rated vulnerability (rated by Secunia out of 5 which is a similar rating to the two issues in IE7) that has still not been patched by Mozilla. They are:-

1.Mozilla / Mozilla Firefox Cross-Domain Cookie Injection Vulnerability
2.Mozilla / Mozilla Firefox Apple Java Plugin Tab Spoofing Vulnerability

Check them out here. vulnerability 1 vulnerability 2

Mozilla's info on bug tracking issue fixed last month.
Secunia's info on bug tracking issue.
Zdnet related article.

George Ou's article about media bias.

So it seems the both IE7 and Firefox are having a common issue when it comes to phising.

Talking about the phising issue here is another article that talks about how it has grown and the number of brands under attack from phishing was up 20 percent from June and 12 percent from the previous record in May. An interesting thing to note from the article is that "The survey found a large increase in traffic redirectors, and DNS redirectors in particular. These modify a system's DNS settings to direct some or all DNS lookups to a fraudulent DNS server capable of directing users to fraudulent sites when particular addresses are entered."

Read more from the survey and news about phising here.


Anonymous said...

Great news.It's hard to imagine that firefox has become even better!
Now it's an ultimate browser, I guess.

Download Firefox 2