PDA

View Full Version : No April Fools Joke here!


turn_on68
04-01-2004, 08:57 AM
TITLE:
Internet Explorer/Outlook Express Restricted Zone Status Bar Spoofing

SECUNIA ADVISORY ID:
SA11273

VERIFY ADVISORY:
http://secunia.com/advisories/11273/

CRITICAL:
Not critical

IMPACT:
Security Bypass

WHERE:
From remote

SOFTWARE:
Microsoft Outlook Express 6
Microsoft Outlook Express 5.5
Microsoft Outlook Express 5
Microsoft Internet Explorer 6
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5

DESCRIPTION:
http-equiv has discovered a weakness in Internet Explorer, which
potentially can be exploited by malicious people to trick users into
visiting a malicious website.

It is normally possible for script code to manipulate information
displayed in the status bar. However, an error in Internet Explorer
allows manipulation of the status bar without using any script code.
This can be exploited by embedding a specially crafted form in a
link.

Example:
<A HREF="http://[trusted_site]/">
<FORM action=http://[malicious_site]/ method=get>
<INPUT style="BORDER-RIGHT: 0pt; BORDER-TOP: 0pt; FONT-SIZE: 10pt;
BORDER-LEFT: 0pt; CURSOR: hand; COLOR: blue; BORDER-BOTTOM: 0pt;
BACKGROUND-COLOR: transparent; TEXT-DECORATION: underline"
type=submit value=http://[trusted_site]/>
</A>

This also affects Outlook Express as it uses the same HTML rendering
functionality as Internet Explorer. Outlook Express users may
especially trust information displayed in the status bar since HTML
documents are viewed in context of the "Restricted" zone, which has
scripting support disabled.

Successful exploitation may result in a user being tricked into
visiting a malicious website by following a specially crafted link.

The problem has been confirmed in versions 5.01 and 6. Version 5.5 is
likely also affected.

SOLUTION:
Never follow links from untrusted sources.

PROVIDED AND/OR DISCOVERED BY:
http-equiv, malware.com.

----------------------------------------------------------------------