Microsoft has identified a couple of security issues in its web browser software Internet Explorer.
The two newly discovered vulnerabilities involve Internet Explorer’s cross-domain security model – which should keep windows of different domains from sharing information.
Incomplete security checking, however, causes Internet Explorer to allow one website to potentially access information from another domain when using certain dialog boxes.
In order to exploit this flaw, an attacker would have to host a malicious web site that contained a web page designed to exploit this particular vulnerability and then persuade a user to visit that site.
Once the user has visited the malicious web site, it would be possible for the attacker to run malicious script by misusing a dialog box and cause that script to access information in a different domain. In the worst case, this could enable the web site operator to load malicious code onto a user’s system. In addition, this flaw could also enable an attacker to invoke an executable that was already present on the local system.
A related cross-domain vulnerability allows Internet Explorer’s showHelp() functionality to execute without proper security checking.
showHelp() is one of the help methods used to display an HTML page containing help content. showHelp() allows more types of pluggable protocols than necessary, and this could potentially allow an attacker to access user information, invoke executables already present on a user’s local system or load malicious code onto a user’s local system.
The requirements to exploit this vulnerability are the same as for the issue described above: an attacker would have to host and lure a user to a malicious web site. In this scenario, the attacker could open a showHelp window to a known local file on the visiting user’s local system and gain access to information from that file by sending a specially crafted URL to a second showHelp window. The attacker could also potentially access user information or run code of attacker’s choice.
To fix the problems, Microsoft has developed a patch that users can download from its Web site. The cumulative patch includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0.
This cumulative patch will cause window.showHelp( ) to cease to function. When the latest HTML Help update – which is being released via Windows Update with the patch – is installed, window.showHelp( ) will function again, but with some limitations.
This, Microsoft says, has been necessary ‘in order to block the attack vector that might allow a web site operator to invoke an executable that was already present on a user’s local system’.