Overview
Microsoft Internet Explorer (IE) does not properly determine the source of script used in URLs. An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.
Description
IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. From Microsoft Security Bulletin MS03-048: One of the principal security functions of a browser is to ensure that browser windows that are under the control of different Web sites cannot interfere with each other or access each other's data, while allowing windows from the same site to interact with each other. To differentiate between cooperative and uncooperative browser windows, the concept of a "domain" has been created. A domain is a security boundary - any open windows within the same domain can interact with each other, but windows from different domains cannot. The cross-domain security model is the part of the security architecture that keeps windows from different domains from interfering with each other. javascript:eval('alert("Hello world.")') This URL will display an alert dialog with the contents of the HTTP cookie for the current site: javascript:alert(document.cookie) The cross-domain security model should not allow script from one domain to read or modify data in a different domain using this type of URL. The execCommand method does not properly validate the source domain of the URL. If the location of a frame in one domain is changed to a javascript: URL and the execCommand method is used to issue a Refresh command, the script will be evaluated in the original domain. |
Impact
By convincing a victim to view an HTML document (web page, HTML email), an attacker could evaluate script in a different security domain than the one containing the attacker's document. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. |
Solution
Apply patch |
|
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
- http://www.safecenter.net/liudieyu/BodyRefreshLoadsJPU/BodyRefreshLoadsJPU-Content.htm
- http://www.microsoft.com/technet/security/bulletin/MS03-048.asp
- http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/execcommand.asp
- http://msdn.microsoft.com/workshop/author/dhtml/reference/constants/refresh.asp
- http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp
- http://support.microsoft.com/support/kb/articles/Q182/5/69.asp
- http://support.microsoft.com/support/kb/articles/Q174/3/60.asp
- http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp
- http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp#SecurityZones
- http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp#default_zones
- http://www.microsoft.com/office/previous/outlook/2002security.asp
- http://www.microsoft.com/windows/ieak/default.asp
- http://www.secunia.com/advisories/10192/
- http://www.secunia.com/advisories/9711/
- http://xforce.iss.net/xforce/xfdb/13675
- http://www.securityfocus.com/bid/9015
Acknowledgements
This vulnerability was publicly reported by Liu Die Yu. Thanks to Microsoft and Thor Larholm for information used in this document.
This document was written by Art Manion.
Other Information
CVE IDs: | CVE-2003-0814 |
Severity Metric: | 42.10 |
Date Public: | 2003-09-10 |
Date First Published: | 2003-11-19 |
Date Last Updated: | 2003-12-05 19:11 UTC |
Document Revision: | 29 |