Modernizing Authentication — What It Takes to Transform Secure Access
The flaw, as discovered by Israel's GreyMagic Software, is endemic to IE versions 5.5. and 6.0. However, any application that uses IE's engine WebBrowser control is affected as well, including Outlook and MSN Explorer.
"It is rated very severe as it defeats all the basic protections set forth by IE and allows access and some execution rights to local content," Lee Dagon, head of research and development at GreyMagic, told internetnews.com. "An attacker may be able to read private documents, the Windows password .DAT file, make your Amazon "buy in one click" click anything the attacker chooses, and even get access to credit card information in SSL-protected sites."
Microsoft took exception to the fact that GreyMagic Software posted the flaw without having a chance to review it. A company spokesman told internetnews.com: "The Microsoft Security Response Center is thoroughly investigating this issue, just as we do with every report we receive of security vulnerabilities affecting Microsoft products. At this point in the investigation we feel strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information."
However, while GreyMagic noted that there are many ways to refer to an iframe, frame document in Internet Explorer, they are really instances of the WebBrowser control supplied by Microsoft. It is this WebBrowser control that exposes several potentially dangerous properties by default, which Microsoft overrides in Internet Explorer.
"Microsoft missed out on one important property -- "Document", with a capital "D"," GreyMagic said in a new security bulletin.
The company explained further: "Normally, using "oElement.document" would provide a reference to the document that owns the current element. The same applies to the frame and iframe elements. However, we discovered that when "oIFrameElement.Document" is used, the returned document is the one contained inside the frame, and there are no security restrictions in place to check if it's in a different domain."
GreyMagic said this provides full access to the frame's Document Object Model, which allows an attacker gain access to a person's PC to perform the aforementioned sinister duties.
The security firm said Internet Explorer 5.5 SP2 and Internet Explorer 6 are vulnerable, although the vulnerability does not exist in IE6 SP1. GreyMagic advised users to either disable Active Scripting or upgrade to IE6 SP1 until Microsoft issues a fix.
Microsoft did not respond to queries as of press time.