IE 7.0/8.0b Code Execution 0-Day Released 131
SecureThroughObscure writes "Security blogger and researcher Nate McFeters blogged about a 0-day exploit affecting IE7 and IE8 beta on XP that was released by noted security researcher Aviv Raff. The flaw is a 'cross-zone scripting' flaw that takes advantage of the fact that printing HTML web pages occurs in the Local Machine Zone in IE rather than in the Internet Zone. Quoting McFeters's post: 'This is currently unpatched and in all of its 0-day glory, so for the time being, beware printing using the "print table of links" option when printing web pages.' McFeters and others will be presenting at Black Hat on the link between cross-site scripting and cross-zone. Rob Carter has been hitting this hard over at his blog, pointing out cross-zone weaknesses in Azureus, uTorrent, and the Eclipse platform."
Re:0-day (Score:5, Informative)
yes, I use it (Score:2, Informative)
Re:Proof (Score:4, Informative)
Unfortunately, IE7 has made things a little more difficult:
- Pages with content from various zones no longer show up as 'mixed'. Since the upgrade to IE7, all sites only show the zone of the main URL, however the content runs according to the security zone for it's own source. It makes it almost impossible to work out whether a site can or can't run scripts, and you end up digging into the pages source code to work out what sites need adding to the trusted zones to get pages to work.
- Dynamic scripts added to a page in the 'trusted' zone, execute from the 'internet' zone. This is "by design"... The only workaround is to change the way the code works on the server.
- If you want to lock down the 'internet' zone, you will need to add "about:internet" to your 'trusted' zone
- You will also need to add res://ieframe.dll to your 'trusted' zone
Re:you wrong! (Score:2, Informative)
Re:0-day (Score:5, Informative)
The whole point of coining the term in the first place was to be able to discuss the unknown; i.e., to be able to assess the potential danger of currently unknown threats. Day-1 refers to disclosure, as such there's no way to talk about a specific 0-day because if you know what it is than it has to at least be day-1.
Sure it's abstract, but it's an important concept for developing security technologies and security procedures.
Between product buzzwords and the abstract nature of the term it's almost lost all meaning.
Re:Can it be triggered via javascript? (Score:5, Informative)
Re:Must we highlight every bug in IE? (Score:5, Informative)
Re:Must we highlight every bug in IE? (Score:4, Informative)
http://it.slashdot.org/article.pl?sid=08/05/13/1533212 [slashdot.org]
No (Score:5, Informative)
Re:Must we highlight every bug in IE? (Score:2, Informative)
In contrast, a far more dangerous bug [debian.org] in the openssl package used by Debian and its derivatives was discovered earlier this week, and doesn't seem to have made the Slashdot home page at all
Re:0-day (Score:5, Informative)
> The whole "day thing" is about the time between disclosure and patch/signature release.
Do you have any citation for your assertion?
The term derives from warez "0-day boards". These were populated by the most elite crackers who had cracked software on the 0th-day of release; that is, the software hit the shelves and was already cracked.
Try doing a web search for ``0-day'' with a date threshold prior to, say, 1995. You won't find any hits for your interpretation:
http://www.alltheweb.com/search?advanced=1&cat=web&jsact=&_stype=norm&type=all&q=%220-day%22&itag=crv&l=en&ics=utf-8&cs=iso88591&wf%5Bn%5D=3&wf%5B0%5D%5Br%5D=%2B&wf%5B0%5D%5Bq%5D=&wf%5B0%5D%5Bw%5D=&wf%5B1%5D%5Br%5D=%2B&wf%5B1%5D%5Bq%5D=&wf%5B1%5D%5Bw%5D=&wf%5B2%5D%5Br%5D=-&wf%5B2%5D%5Bq%5D=&wf%5B2%5D%5Bw%5D=&dincl=&dexcl=&geo=&doctype=&dfr%5Bu%5D=on&dfr%5Bd%5D=1&dfr%5Bm%5D=1&dfr%5By%5D=1990&dto%5Bu%5D=on&dto%5Bd%5D=16&dto%5Bm%5D=5&dto%5By%5D=1995&hits=10 [alltheweb.com]
Try USENET for certainty ( blocked in work ).
Re:Irresponsible disclosure (Score:2, Informative)