Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

IE 7.0/8.0b Code Execution 0-Day Released

Posted by kdawson on Fri May 16, 2008 08:45 AM
from the cross-zone-scripting dept.
Security Bug Internet Explorer The Internet
SecureThroughObscure writes "Security blogger and researcher Nate McFeters blogged about a 0-day exploit affecting IE7 and IE8 beta on XP that was released by noted security researcher Aviv Raff. The flaw is a 'cross-zone scripting' flaw that takes advantage of the fact that printing HTML web pages occurs in the Local Machine Zone in IE rather than in the Internet Zone. Quoting McFeters's post: 'This is currently unpatched and in all of its 0-day glory, so for the time being, beware printing using the "print table of links" option when printing web pages.' McFeters and others will be presenting at Black Hat on the link between cross-site scripting and cross-zone. Rob Carter has been hitting this hard over at his blog, pointing out cross-zone weaknesses in Azureus, uTorrent, and the Eclipse platform."
+ -
story

Related Stories

Submission: IE 7.0/8.0b Code Execution 0-day Released! by SecureThroughObscure (1282782)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

IE 7.0/8.0b Code Execution 0-Day Released 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • 0-day (Score:5, Insightful)

    by Anonymous Coward on Friday May 16 2008, @08:51AM (#23432500)
    0-day? This term seems to have lots all meaning. Could we please stop using it?

  • A Disturbing Trend, But Not Unforeseen... (Score:5, Insightful)

    by blcamp (211756) on Friday May 16 2008, @08:51AM (#23432506) Homepage

    The more complex the software releases become, the more complex and insidious the exploits of them become also.

    • The more complex the software releases become, the more complex and insidious the exploits of them become also.

      I'm not sure if that statement will hold up to scrutiny. If complex software is the issue, then you'd expect exploits to be consistent across platforms when comparing software of similar complexity. I haven't seen any research supporting that observation. I have seen research that says more complex software will likely contain more coding errors and potential exploits but haven't seen a correl

  • Amazing (Score:5, Funny)

    by duplicate-nickname (87112) on Friday May 16 2008, @08:53AM (#23432544) Homepage
    I didn't even know that "Print table of links" was an option for printing in IE until today. My guess is that no one actually uses that feature, and this 0-day exploit affects roughly 0 people.

    • Re:Amazing (Score:5, Insightful)

      by CastrTroy (595695) on Friday May 16 2008, @09:00AM (#23432652) Homepage
      Even if you did know about the feature, I'm not sure of it's usefulness. Saveing a spreadsheet of links might be useful, but printing them out? Most URLSs are pretty hard to type back in, and wouldn't be all that useful on paper. Look at the url I'm no right now.

      http://it.slashdot.org/comments.pl?sid=555236&op=Reply&threshold=1&commentsort=0&mode=nested&pid=23432544 [slashdot.org]

      Why you would want that printed out on a piece of paper is beyond me. It might possibly somewhat work on a PDF printer, but even then, it's use is limited.

      • Re:Amazing (Score:5, Funny)

        by Anonymous Coward on Friday May 16 2008, @09:08AM (#23432768)
        You're forgetting about another MSIE feature, a TWAIN plugin called "Scan table of links".

    • Re: (Score:3, Insightful)

      by Penguinisto (415985)
      Actually, I could see uses for it - but mostly for web designers as an audit tool, and for corporate security types who want to gin up a list of naughty links with which to show the employee and his/her boss.

      Now for a real use? Well, maybe one. To save having to scribble them down, you could waste a couple reams of paper printing out, oh, maybe a dozen MS Sharepoint links to an overly-anal supervisor who demands that you include reference links in a printed report.

      /P

  • This is proof of what I've said from the beginning -- the whole concept 'zones' in IE is stupid and pointless. Scripts should be allowed only what you allow them, period. You should be able to give permissions down to the individual site (ala NoScript) or even down to the individual script.

    • Re:Proof (Score:5, Insightful)

      by ScentCone (795499) on Friday May 16 2008, @09:02AM (#23432682)
      You should be able to give permissions down to the individual site (ala NoScript) or even down to the individual script.

      Look, for most people, the zone idea actually makes sense. Basically, don't trust ANY web site to do the tricksy stuff, but add (for example) your company's intranet to the safe zone, where it can do more desktop-ish stuff. I don't think that's such an awkward concept, and it spares people from having to think through what to allow, or not, on a site by site basis, as they surf. Most people are not this audience. And being able to enforce zone policies at the enterprise level makes a lot of sense, since average users are routinely shown to be spineless and witless: they'll add a poisonous Russian casino spam site to the safe list if that site pops up a tutorial on the steps the have to take to do so, if they want their free emoticon package.

      Fiddly, granular systems only work for fiddly, granular people.
      • Pffft. So tell me-- why when I browse a site in the "Internet-zone" and then print a table of links, does that function run in the 'Local Zone'?

        I'll tell you why: because it has to. You can't access local devices in the Internet Zone. That's the point. Granular approaches would allow you to print without accidentally giving other permissions to something that shouldn't have them.

        At the enterprise level, with something like NoScript, you can just allow entire domains, say intranet.example.com or whatever your organization uses.

        Next thing you're gonna tell me is that you think Microsoft should do away with ACLs at the individual file level or even the directory because users are just too stupid to figure that out. They should just have "file zones" and people will just have to stick their files in the right zone. Pffft.

        • Re:Proof (Score:4, Funny)

          by keytoe (91531) on Friday May 16 2008, @12:45PM (#23436734) Homepage
          Your markup is incorrect - you left the slash off your closing Pffft. tag.

        • Re:Proof (Score:4, Insightful)

          by knarf (34928) on Friday May 16 2008, @04:39PM (#23440384) Homepage
          While it may be true (and it *better be true*) that untrusted zones can not directly touch local devices the question still remains why there is any processing being done on data from a lower-trust zone *inside* a higher-trust zone. That is the wrong approach. Had they formatted the document to be printed inside the lower-trust zone and handed a formatted document to the higher-trust zone (in whatever format is used to print documents: metafile, postscript, etc) to be printed this problem would not have occurred. That is, given that the print spooler does not goof up with the data to be printed of course...

      • Re: (Score:3, Interesting)

        by CastrTroy (595695)
        Why would you want special permissions on stuff in your intranet? Couldn't any disgruntled employee set up a webserver on their computer, send out a mass email, telling people to visit the url. and infect a large portion of the computers in the office? If you want special permissions for intranet servers, install your own CA, and let the browser run stuff only signed by that CA.

          • Re:Proof (Score:5, Insightful)

            by CastrTroy (595695) on Friday May 16 2008, @09:47AM (#23433474) Homepage
            And for IE the defaults allow special permissions to your entire intranet. By default all the permissions should be low. There's no reason to grant higher permissions to the entire intranet. If you need something like that set up at your organization, you should have to enable it per server, or per domain.

      • Re:Proof (Score:5, Insightful)

        by Penguinisto (415985) on Friday May 16 2008, @09:27AM (#23433094) Journal
        Having actually used the 'Zones' concept recently on IE, I gotta say - it needs work. LOTS of work. The first time someone wants to diddle with a MySpace app and discovers that it won't work until you basically ratchet down the settings --often by hand in the advanced options--? Then couple that with the fact that many websites can pull in parts and content from multiple domains, requiring permissions to be set on each and every one? The whole thing would go out the window and the user would promptly ratchet down the whole WWW.

        The concept itself is okay, but the implementation could use a good, solid overhaul.

        /P

      • Re: (Score:3, Insightful)

        by MobyDisk (75490)
        People just need to stop using web browsers as a way to control the desktop. If you are in a domain, then the domain administrator can push executable apps, policies, and commands down to the computer. HTML, Javascript, and ActiveX are not tools for administering networks.

        Also, having developed desktop applications that used embedded IE, I can tell you the zones system is completely screwed-up. It changes in every version, the APIs are inconsistent across different Windows OS's, and there are crazy looph

    • That's insufficient. The danger from scipts comes from sites you *do* trust that get hacked. And if you grant permission per script, how many people are competent to read a script and judge it to be non-malicious? Of those, how many will feel like taking the time for every single script?

      NoScript is good, and I use it, but it's far from sufficient to secure the browser against script-based attacks.

    • Re:Proof (Score:4, Insightful)

      by Manip (656104) on Friday May 16 2008, @09:17AM (#23432936)
      IE or any other modern browser on the market.

      You would also have every web developer in the marketplace whining about how IE ignores standards if they pulled the plug on scripting.

      Sorry but Zoning in IE is fine. IE 7 is actually a pretty good modern browser and, sure, it isn't perfect but frankly what is?

    • Re:Proof (Score:4, Informative)

      by myxiplx (906307) on Friday May 16 2008, @09:24AM (#23433032)
      I disagree, zones are great, I just wish they'd implemented them better. We use zones as a quick way to enforce across the whole organisation which sites can and can't run scripts. The concept is superb, regular sites can't run scripts, activex, or anything. IT designated 'trusted' sites work fine.

      Unfortunately, IE7 has made things a little more difficult:

      - Pages with content from various zones no longer show up as 'mixed'. Since the upgrade to IE7, all sites only show the zone of the main URL, however the content runs according to the security zone for it's own source. It makes it almost impossible to work out whether a site can or can't run scripts, and you end up digging into the pages source code to work out what sites need adding to the trusted zones to get pages to work.

      - Dynamic scripts added to a page in the 'trusted' zone, execute from the 'internet' zone. This is "by design"... The only workaround is to change the way the code works on the server.

      - If you want to lock down the 'internet' zone, you will need to add "about:internet" to your 'trusted' zone

      - You will also need to add res://ieframe.dll to your 'trusted' zone
    • I like the zones; I wish Firefox had them. I love NoScript very much, but I wish I didn't have to authorize, say, slashdot.org, to run java apps. I'd rather configure a middle tier that would allow javascript and nothing else.

      • scripting is not dangerous unless there's a flaw in javascript.

        If only JavaScript were the only scripting option on IE. Furthermore, JavaScript is one of the primary vectors of attack for Firefox, IE and Opera: what makes you think that an untrusted JavaScript is NOT dangerous?

        you can do it with IE by putting the sites into the different zones.

        Right. Again, see how NoScript does it. Far easier and more convenient for the user, IMHO.

  • Usage (Score:5, Funny)

    by Wowsers (1151731) on Friday May 16 2008, @08:56AM (#23432594) Journal
    People still use Internet Exploder?

    • People still use Internet Exploder?
      yes, I use Internet Explorer in Windows Vista that is the safest browser because it runs with the lowest privileges possibile in a sandbox (IE7 Protected mode). In fact IE7 under Vista is not affected by this flaw i.e. remote code execution is not possible (yet another reason to use Vista and UAC).

  • For using IE since 2.X... (Score:3, Funny)

    by AioKits (1235070) on Friday May 16 2008, @09:01AM (#23432666) Homepage
    I can safely say I did not know this ability even existed. (Don't hurt me! I use FireFox at home! Honest! I even brought some FF t-shirts and the laptop tote.)

  • Irresponsible disclosure (Score:5, Interesting)

    by benjymouse (756774) on Friday May 16 2008, @09:01AM (#23432670)
    The vuln. is probably real, but Aviv Raff notified Microsoft the day before he went public with a "treasure hunt" for this bug (celebrating Isreals 60th birthday); thus the fact that it's a 0day vuln. is entirely his doing. Way to go.

    • Re:Irresponsible disclosure (Score:5, Insightful)

      by reset_button (903303) on Friday May 16 2008, @09:12AM (#23432828)
      Is it better to keep it secret until a patch comes out and hope that nobody else has discovered the vulnerability, or publicize it and let people know not to use this IE feature until it's patched?

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      The vuln. is probably real, but Aviv Raff notified Microsoft the day before he went public with a "treasure hunt" for this bug (celebrating Isreals 60th birthday); thus the fact that it's a 0day vuln. is entirely his doing. Way to go.
      Yes, as always... blame the whistle blower not the manufacturer of the crap product.
      • Nobody is blaming Aviv for the existence of the bug. Nobody is blaming Aviv for telling people about the bug.

        We *might* be blaming Aviv for telling the world, script kiddies and botnet operators alike, about this bug -before- even notifying the manufacturer of the crap product.

        Nor did Aviv wait a reasonable time period for the manufacturer to admit their product's crap state and issue either A. a warning of their own (don't print links) or B. a fix, while providing full credit for discovering the bug to Av
    • Yeah, really. There's no glory in "finding" a zero day exploit; it's not as if it's inherently more severe or damning than any other flay. But it sure looks better on the headlines.

  • Can it be triggered via javascript? (Score:5, Interesting)

    by foniksonik (573572) on Friday May 16 2008, @09:08AM (#23432774) Homepage Journal
    Can you trigger this behavior in an onload event?

    If not it's a rather useless exploit other than as a prank to pull on your secretary... "Hey Sandra... can you print out a table of links for this website?"

    5 minutes later "What the F***!"

    "HAHAHAHAHAHAHA... I totally got you!"

    • Re:Can it be triggered via javascript? (Score:5, Informative)

      by ruiner13 (527499) on Friday May 16 2008, @09:51AM (#23433562) Homepage
      You can certainly trigger the window.print() command in the onload, but setting the properties of the dialog to what is needed for this exploit cannot be done. VBScript may allow further printing options, but I suspect the page would first trigger the standard scripting warnings and the user would still be forced to intervene.
    • Well, could you encode a link properly and post it on slashdot? Would it get through the filters? I imagine quite a few people are trying the "print table of links" feature on this very page, simply because nobody has ever used it.

    • No (Score:5, Informative)

      by The MAZZTer (911996) <megazzt@@@gmail...com> on Friday May 16 2008, @10:04AM (#23433826) Homepage
      The best you can do is window.print() to bring up the Print dialog. The user would have to select the "Print table of links" option manually and then print to any printer.

  • To view this article on one page... (Score:5, Funny)

    by Thelasko (1196535) on Friday May 16 2008, @09:13AM (#23432854) Journal
    please select the printable version.

    end sarcasm
  • Going to print the article so I can read it on the can. I'll post a response about it when I get back.

  • I appreciate the desire to raise awareness, but there's no practical benefit to running this story other than Windows bashing. It'll get patched, the patch will probably ship on some future Tuesday given this is a feature few people use and the risk of exploitation is relatively low, and that'll be that.

    In contrast, a far more dangerous bug [debian.org] in the openssl package used by Debian and its derivatives was discovered earlier this week, and doesn't seem to have made the Slashdot home page at all, even though i

  • ...When are we going to be able to read an article written by anyone other than some jerk-off using buzz-phrases whenever possible.

    "0-day" doesn't mean a f$%^&ing thing ! There is no information being transmitted by that phrase, it is empty of any meaning and might as well be a punction mark.
      • From the Wikipedia article cited

        A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit unknown, undisclosed or unpatched computer application vulnerabilities.

        So, it's a newly discovered exploit. Can't we use that phrase instead of the uber-lame "0-day"

  • Printer-friendly version (Score:3, Funny)

    by 6Yankee (597075) on Friday May 16 2008, @12:22PM (#23436350)
    here [pwn3d.ru]

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.