Microsoft Internet Explorer page update cross-domain security bypass

ie-pageupdate-security-bypass (34696)

Medium Risk

Description:

Microsoft Internet Explorer could allow a remote attacker to bypass cross-domain security restrictions, caused by a race condition when updating pages across domains. By persuading a victim to visit a specially-crafted Web site, a remote attacker could bypass same-origin policy restrictions to gain unauthorized access to other domains and obtain sensitive information from the system.

Platforms Affected:

• Microsoft, Internet Explorer 6
• Microsoft, Internet Explorer 6 SP1
• Microsoft, Internet Explorer 7
• Microsoft, Windows Server 2008 SP2 32-bit
• Microsoft, Windows Server 2008 x64
• Microsoft, Windows Server 2008 Itanium
• Microsoft, Windows Server 2008 32-bit
• Microsoft, Windows Vista SP1
• Microsoft, Windows Vista SP1 x64
• Microsoft, Windows Vista
• Microsoft, Windows Vista x64
• Microsoft, Windows 2000 SP4
• Microsoft, Windows Server 2003 SP2 X64
• Microsoft, Windows Server 2003 SP2 Itanium
• Microsoft, Windows Server 2003 SP2
• Microsoft, Windows Server 2008 SP2 Itanium
• Microsoft, Windows Server 2008 SP2 X64
• Microsoft, Windows Vista SP2
• Microsoft, Windows Vista SP2 X64
• Microsoft, Windows XP SP2
• Microsoft, Windows XP SP3
• Microsoft, Windows XP SP2 Professional x64

Remedy:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS07-033 or MS09-019. See References.

Consequences:

Bypass Security

References:

• Full-Disclosure Mailing List, Mon Jun 04 2007 - 06:02:40 CDT, Assorted browser vulnerabilities at http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0026.html.
• Microsoft Internet Explorer Web site, Internet Explorer: Home Page at http://www.microsoft.com/windows/products/winfamily/ie/default.mspx.
• Microsoft Security Bulletin MS07-033, Cumulative Security Update for Internet Explorer (933566) at http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx.
• Microsoft Security Bulletin MS09-019, Cumulative Security Update for Internet Explorer (969897) at http://www.microsoft.com/technet/security/bulletin/ms09-019.mspx.
• NORTEL BULLETIN ID: 2009009559, Rev 1, Nortel Response to Microsoft Security Bulletin MS09-019 at http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=932811&poid=.
• ASA-2009-221: MS09-019 Cumulative Security Update for Internet Explorer (969897)
• BID-24283: Microsoft Internet Explorer JavaScript Cross Domain Information Disclosure Vulnerability
• CVE-2007-3091: Race condition in Microsoft Internet Explorer 6 SP1; 6 and 7 for Windows XP SP2 and SP3; 6 and 7 for Server 2003 SP2; 7 for Vista Gold, SP1, and SP2; and 7 for Server 2008 SP2 allows remote attackers to execute arbitrary code or perform other actions upon a page transition, with the permissions of the old page and the content of the new page, as demonstrated by setInterval functions that set location.href within a try/catch expression, aka the bait & switch vulnerability or Race Condition Cross-Domain Information Disclosure Vulnerability.
• SA25564: Internet Explorer Page Loading Race Condition and URL Spoofing
• SECTRACK ID: 1018192: Microsoft Internet Explorer Input Validation Hole Permits Cross-Site Scripting Attacks
• US-CERT VU#471361: Microsoft Internet Explorer cross-domain frame race condition
• VUPEN/ADV-2007-2064: Microsoft Internet Explorer Web Page Navigation Cross Domain Scripting Vulnerability

Reported:

Jun 04, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page