SecureThroughObscure writes "Security blogger and researcher Nate McFeters, of ZDNet and Ernst & Young's Advanced Security Center, blogged about an 0-day exploit released by noted security researcher Aviv Raff today. The flaw is a cross-zone scripting flaw, that takes advantage of the fact that printing HTML web pages occurs in the Local Machine Zone in IE rather than in the Internet Zone.
"One of the most concerning things about cross-site scripting is when you can execute your script in a higher privileged zone, as Aviv has here. In some cases, you can actually run arbitrary commands on the operating system, read/write files, and definitely make all the cross-domain requests (with cookies) that you'd like. I'll save this for a different blog posting, because that was always the plan, but if you are interested in seeing more on this, Rob Carter has been hitting this really hard over at his blog."
As McFeters stated, Carter has done a lot of research into this area, pointing out very serious flaws in the web management consoles of Azureus and uTorrent, as well as in the Eclipse platform, which is used to build several other tools.
Internet Explorer is prone to a Cross-Zone Scripting vulnerability in its "Print Table of Links" feature. This feature allows users to add to a printed web page an appendix which contains a table of all the links in that webpage.
An attacker can easily add a specially crafted link to a webpage (e.g. at his own website, comments in blogs, social networks, Wikipedia, etc.), so whenever a user will print this webpage with this feature enabled, the attacker will be able to run arbitrary code on the user's machine (i.e. in order to take control over the machine).
Technical details
Whenever a user prints a page, Internet Explorer uses a local resource script which generates an new HTML to be printed. This HTML consists of the following elements: Header, webpage body, Footer, and if enabled, also the table of links in the webpage.
While the script takes only the text within the link's inner data, it does not validate the URL of links, and add it to the HTML as it is. This allows to inject a script that will be executed when the new HTML will be generated.
As I said in a previous post, most of the local resources in Internet Explorer are now running in Internet Zone. Unfortunately, the printing local resource script is running in Local Machine Zone, which means that any injected script can execute arbitrary code on the user's machine.
These are a very interesting class of bug, pretty scary stuff, especially since they appear to work in IE 8 as well.
IE 7.0/8.0b Code Execution 0-day Released! 0 Comments More Login /
Get More Comments