Another 9 Exploits Found in IE
A week after finding a serious flaw in Internet Explorer versions 5.5 and 6, GreyMagic found another vulnerability, this time in the browser's caching object script.
Previous IE versions, as well as IE 6.1 are unaffected by the flaw, said officials at GreyMagic Software Tuesday, the Israeli firm who discovered the flaw. Last week, the company publicized a flaw in IE 5.5 and 6 that lets hackers steal Web cookies from Web sites and forge content to read local files and execute programs in the Document Object Model (DOM).
Microsoft officials were unaware of the vulnerability at press time. After last week's flaw was published, they berated GreyMagic for not giving their own engineers time to investigate the vulnerability.
Tuesday's nine vulnerabilities all find their root in object caching, which performs security checks when people visit Web sites. In the time it takes for one page to unload and the other to load, these security checks determine whether both pages are in the same security zone and domain.
The problem, according to GreyMagic engineers, is that objects that are supposed to be inaccessible when the pages are unloaded and the references stored become open to exploit. In essence, the assumed-to-be-inaccessible pages are now interoperable with other documents, such as the attacker's page found on his or her site.
While the object caching vulnerability affects one area of the Web browser, there are nine separate methods for exploitation. Following are the methods and their potential impact. GreyMagic also published the exploits to compromise the vulnerability, but internetnews.com does not publish exploits:
- showModalDialog - Full access in IE 5.5, "My Computer" zone access in IE 6.
- external - Full DOM access on both versions.
- createRange - Full DOM access on both versions.
- elementFromPoint - Full DOM access on both versions.
- getElementById - Full DOM access on both versions.
- getElementsByName - Full DOM access on both versions.
- getElementsByTagName - Full DOM access on both versions.
- execCommand - read access to the loaded document.
- clipboardData - read/write access to the clipboard, regardless of settings.
GreyMagic engineers recommend disabling Active Scripting until a patch is released, or upgrading to IE 6.1.