ISS X-Force Database: ie-javascript-spoof-dialog(7313): Microsoft Internet Explorer allows JavaScript to spoof dialog boxes

Microsoft Internet Explorer allows JavaScript to spoof dialog boxes

ie-javascript-spoof-dialog (7313)

Low Risk

Description:

Internet Explorer with Active Scripting enabled could allow a malicious Web site to spoof the entire screen using JavaScript. A Web site containing malicious JavaScript can "spoof" what is displayed on the screen, which could be used to generate fake dialog boxes or hide legitimate IE dialog boxes. For example, a malicious Web site could use this technique to trick a user into clicking an unsafe option on a legitimate IE warning message by hiding the warning message behind a seemingly harmless dialog box message generated by the JavaScript.

Consequences:

Gain Privileges

Remedy:

No remedy available as of February 6, 2010.

References:

BugTraq Mailing List, 2003-07-15 14:43:13: Internet Explorer Full-Screen mode threats.
BugTraq Mailing List, Mon Jul 12 2004 - 13:20:51 CDT: RE: MSIE Download Window Filename + Filetype Spoofing Vulnerability.
BugTraq Mailing List, Mon Jul 14 2003 - 12:41:57 CDT: RE: IE chromeless window vulnerabilities.
BugTraq Mailing List, Sun Jul 13 2003 - 14:20:21 CDT: IE chromeless window vulnerabilities.
Georgi Guninski Security Advisory #50: Javascript in IE may spoof the whole screen.
Marek Bialoglowy SYSTEM INTEGRA Web site: INTERNET EXPLORER FULL-SCREEN MODE FULL OF THREATS.
BID-3469: Microsoft Internet Explorer JavaScript Interface Spoofing Vulnerability
BID-8176: Microsoft Internet Explorer window.createPopup Interface Spoofing Vulnerability
CVE-2001-1410: Internet Explorer 6 and earlier allows remote attackers to create chromeless windows using the Javascript window.createPopup method, which could allow attackers to simulate a victim's display and conduct unauthorized activities or steal sensitive data via social engineering.
US-CERT VU#490708: Microsoft Internet Explorer window.createPopup() method creates chromeless windows

Platforms Affected:

Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6

Reported:

Oct 21, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page