Microsoft Internet Explorer allows JavaScript to spoof dialog boxes
| ie-javascript-spoof-dialog (7313) |  Low Risk |
Description:
Internet Explorer with Active Scripting enabled could allow a malicious Web site to spoof the entire screen using JavaScript. A Web site containing malicious JavaScript can "spoof" what is displayed on the screen, which could be used to generate fake dialog boxes or hide legitimate IE dialog boxes. For example, a malicious Web site could use this technique to trick a user into clicking an unsafe option on a legitimate IE warning message by hiding the warning message behind a seemingly harmless dialog box message generated by the JavaScript.
Platforms Affected:
- Microsoft, Internet Explorer 5.5
- Microsoft, Internet Explorer 6
Remedy:
No remedy available as of August 16, 2008.
Consequences:
Gain Privileges
References:
- BugTraq Mailing List, 2003-07-15 14:43:13, Internet Explorer Full-Screen mode threats at http://marc.theaimsgroup.com/?l=bugtraq&m=105829174431769&w=2.
- BugTraq Mailing List, Mon Jul 12 2004 - 13:20:51 CDT, RE: MSIE Download Window Filename + Filetype Spoofing Vulnerability at http://archives.neohapsis.com/archives/bugtraq/2004-07/0098.html.
- BugTraq Mailing List, Mon Jul 14 2003 - 12:41:57 CDT, RE: IE chromeless window vulnerabilities at http://archives.neohapsis.com/archives/bugtraq/2003-07/0166.html.
- BugTraq Mailing List, Sun Jul 13 2003 - 14:20:21 CDT, IE chromeless window vulnerabilities at http://archives.neohapsis.com/archives/bugtraq/2003-07/0156.html.
- Georgi Guninski Security Advisory #50, Javascript in IE may spoof the whole screen at http://www.guninski.com/popspoof.html.
- Marek Bialoglowy SYSTEM INTEGRA Web site, INTERNET EXPLORER FULL-SCREEN MODE FULL OF THREATS at http://www.systemintegra.com/ie-fullscreen/.
- BID-3469: Microsoft Internet Explorer JavaScript Interface Spoofing Vulnerability
- BID-8176: Microsoft Internet Explorer window.createPopup Interface Spoofing Vulnerability
- CVE-2001-1410: Internet Explorer 6 and earlier allows remote attackers to create chromeless windows using the Javascript window.createPopup method, which could allow attackers to simulate a victim's display and conduct unauthorized activities or steal sensitive data via social engineering.
- US-CERT VU#490708: Microsoft Internet Explorer window.createPopup() method creates chromeless windows
Reported:
Oct 21, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net