J
JM Tella Llop [MVP Windows]
Microsoft Internet Explorer window.createPopup() method creates
chromeless windows
Overview
The Internet Explorer (IE) window.createPopup() method creates
chromeless popup windows. These windows can be used to spoof the user
interface in Internet Explorer, any Windows application, or the
Windows desktop.
I. Description
The visible area of a web browser window can be categorized into two
areas: content and chrome. The content area is where the web browser
renders HTML and other data. The chrome area surrounds the content
area and includes the status bar, address bar, tool bar, and menu
area. In most cases, the entire browser window (chrome and content) is
enclosed with "window management decorations" - title, frame, and
minimize, maximize, resize, and close controls.
The IE Dynamic HTML (DHTML) model supports a proprietary method to
create chromeless popup windows. This method, window.createPopup(),
creates browser windows with the following characteristics:
A window created by window.CreatePopup() has the following
characteristics:
* It contains no chrome
* It has no window manager decoration
* It appears on top of all other windows
* It can be placed anywhere on the screen
* It does not appear in the Windows taskbar
* It cannot be focused
* It is closed when the user clicks outside of the window
Chromeless windows can appear anywhere on the screen. Any part of the
Windows graphical user interface (GUI) can be covered by chromeless
windows, including the IE address bar, IE scroll bar, IE HTTPS padlock
icon, Start menu, system tray, other Windows applications, or the
entire visible screen. When a refresh loop is used, chromeless windows
can remain visible even when the user clicks outside of the window.
II. Impact
By convincing the user to view an HTML document (e.g., web page, email
message) an attacker can deceive the user by changing the appearance
of the GUI. Because of their unique characteristics, chromeless
windows can be used to facilitate phishing attacks. For example, an
attacker can create a fake address bar and HTTPS padlock icon to spoof
a secure website.
More importantly, chromeless windows can be used in combination with
other vulnerabilities to copy arbitrary files to the user's machine.
IE treats arbitrary files as images with respect to drag and drop
operations (VU#526089), allows windows to be manipulated by mouse
events (VU#413886), and allows remote web sites to open windows or
frames that interact with the local filesystem. By convincing the user
to perform drag and drop actions such as clicking an image, selecting
text, or dragging the scrollbar, an attacker can copy malicious code
to the target machine.
III. Solution
Install Windows XP Service Pack 2 (SP2)
Microsoft Windows XP SP2 significantly improves your computer's
defenses against attacks and vulnerabilities. SP2 places constraints
on popup windows created by window.createPopup(), limiting the ability
to spoof the IE and Windows GUI. The constraints are:
* A popup window must appear between the top and bottom of its
parent window's chrome, so it does not overlap the Internet Explorer
address bar, title bar, status bar, or toolbars.
* Horizontally, a popup window must always overlap some area of
its parent window.
* A popup window must stay immediately on top of its parent, so it
cannot be placed over other windows.
These enhancements prevent a large number of spoofing attacks with IE.
Disable Active scripting and ActiveX controls
Disabling Active scripting prevents attackers from creating chromeless
windows using window.Createpopup(). Disabling ActiveX controls
prevents IE from making images transparent, which is a component of
publicly available exploit code.
At a minimum, disable Active scripting and ActiveX controls in the
Internet zone and the zone used by Outlook, Outlook Express, or any
other software that uses the WebBrowser ActiveX control or the IE HTML
rendering engine (MSHTML). Instructions for disabling Active scripting
and ActiveX controls can be found in the Malicious Web Scripts FAQ.
Apply the Outlook Email Security Update
Another way to effectively disable Active scripting and ActiveX
controls in Outlook is to install the Outlook Email Security Update.
The update configures Outlook to open email messages in the Restricted
Sites Zone, where Active scripting and ActiveX controls are disabled
by default. In addition, the update provides further protection
against malicious code that attempts to propagate via Outlook. The
Outlook Email Security Update is available for Outlook 98 and Outlook
2000. The functionality of the Outlook Email Security Update is
included in Outlook 2002 and Outlook Express 6.
Render email in plain text
Configure email client software (mail user agent [MUA]) to render
email messages in plaint text. Instructions to configure Outlook 2002
and Outlook Express 6 are available in Microsoft Knowledge Base
Articles 307594 and 291387, respectively. HTML-formatted email
messages may not appear properly, however script will not be
evaluated, thus preventing certain types of attacks.
Maintain updated antivirus software
Antivirus software with updated virus definitions may identify and
prevent some exploit attempts. Variations of exploits or attack
vectors may not be detected. Do not rely on antivirus software to
defend against this vulnerability.
Use a different web browser
There are a number of significant vulnerabilities in technologies
relating to the IE domain/zone security model, the DHTML object model,
MIME type determination, the graphical user interface (GUI), and
ActiveX. It is possible to reduce exposure to these vulnerabilities by
using a different web browser, especially when browsing untrusted
sites. Such a decision may, however, reduce the functionality of sites
that require IE-specific features such as DHTML, VBScript, and
ActiveX. Note that using a different web browser will not remove IE
from a Windows system, and other programs may invoke IE, the
WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).
Systems Affected
Vendor Status Date Updated
Microsoft Corporation Vulnerable 10-Sep-2004
References
http://www.cert.org/tech_tips/malicious_code_FAQ.html
http://www.kb.cert.org/vuls/id/525089
http://www.kb.cert.org/vuls/id/413886
http://www.guninski.com/popspoof.html
http://www.doxdesk.com/personal/posts/bugtraq/20030713-ie/
http://msdn.microsoft.com/workshop/author/om/doc_object.asp
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/createpopup.asp
http://xforce.iss.net/xforce/xfdb/7313
http://secunia.com/advisories/12048/
http://securitytracker.com/alerts/2003/Jul/1007190.html
http://www.securityfocus.com/bid/8176
Credit
Thanks to Georgi Guninski and Andrew Clover for reporting this
vulnerability.
This document was written by Will Dormann and Art Manion.
Other Information
Date Public 10/21/2001
Date First Published 09/10/2004 03:09:38 PM
Date Last Updated 10/27/2004
CERT Advisory
CVE Name CAN-2001-1410
Metric 31.92
Document Revision 60
--
Jose Manuel Tella Llop
MVP - Windows
(e-mail address removed) (quitar XXX)
http://www.multingles.net/jmt.htm
Este mensaje se proporciona "como está" sin garantías de ninguna
clase, y no
otorga ningún derecho.
This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.
chromeless windows
Overview
The Internet Explorer (IE) window.createPopup() method creates
chromeless popup windows. These windows can be used to spoof the user
interface in Internet Explorer, any Windows application, or the
Windows desktop.
I. Description
The visible area of a web browser window can be categorized into two
areas: content and chrome. The content area is where the web browser
renders HTML and other data. The chrome area surrounds the content
area and includes the status bar, address bar, tool bar, and menu
area. In most cases, the entire browser window (chrome and content) is
enclosed with "window management decorations" - title, frame, and
minimize, maximize, resize, and close controls.
The IE Dynamic HTML (DHTML) model supports a proprietary method to
create chromeless popup windows. This method, window.createPopup(),
creates browser windows with the following characteristics:
A window created by window.CreatePopup() has the following
characteristics:
* It contains no chrome
* It has no window manager decoration
* It appears on top of all other windows
* It can be placed anywhere on the screen
* It does not appear in the Windows taskbar
* It cannot be focused
* It is closed when the user clicks outside of the window
Chromeless windows can appear anywhere on the screen. Any part of the
Windows graphical user interface (GUI) can be covered by chromeless
windows, including the IE address bar, IE scroll bar, IE HTTPS padlock
icon, Start menu, system tray, other Windows applications, or the
entire visible screen. When a refresh loop is used, chromeless windows
can remain visible even when the user clicks outside of the window.
II. Impact
By convincing the user to view an HTML document (e.g., web page, email
message) an attacker can deceive the user by changing the appearance
of the GUI. Because of their unique characteristics, chromeless
windows can be used to facilitate phishing attacks. For example, an
attacker can create a fake address bar and HTTPS padlock icon to spoof
a secure website.
More importantly, chromeless windows can be used in combination with
other vulnerabilities to copy arbitrary files to the user's machine.
IE treats arbitrary files as images with respect to drag and drop
operations (VU#526089), allows windows to be manipulated by mouse
events (VU#413886), and allows remote web sites to open windows or
frames that interact with the local filesystem. By convincing the user
to perform drag and drop actions such as clicking an image, selecting
text, or dragging the scrollbar, an attacker can copy malicious code
to the target machine.
III. Solution
Install Windows XP Service Pack 2 (SP2)
Microsoft Windows XP SP2 significantly improves your computer's
defenses against attacks and vulnerabilities. SP2 places constraints
on popup windows created by window.createPopup(), limiting the ability
to spoof the IE and Windows GUI. The constraints are:
* A popup window must appear between the top and bottom of its
parent window's chrome, so it does not overlap the Internet Explorer
address bar, title bar, status bar, or toolbars.
* Horizontally, a popup window must always overlap some area of
its parent window.
* A popup window must stay immediately on top of its parent, so it
cannot be placed over other windows.
These enhancements prevent a large number of spoofing attacks with IE.
Disable Active scripting and ActiveX controls
Disabling Active scripting prevents attackers from creating chromeless
windows using window.Createpopup(). Disabling ActiveX controls
prevents IE from making images transparent, which is a component of
publicly available exploit code.
At a minimum, disable Active scripting and ActiveX controls in the
Internet zone and the zone used by Outlook, Outlook Express, or any
other software that uses the WebBrowser ActiveX control or the IE HTML
rendering engine (MSHTML). Instructions for disabling Active scripting
and ActiveX controls can be found in the Malicious Web Scripts FAQ.
Apply the Outlook Email Security Update
Another way to effectively disable Active scripting and ActiveX
controls in Outlook is to install the Outlook Email Security Update.
The update configures Outlook to open email messages in the Restricted
Sites Zone, where Active scripting and ActiveX controls are disabled
by default. In addition, the update provides further protection
against malicious code that attempts to propagate via Outlook. The
Outlook Email Security Update is available for Outlook 98 and Outlook
2000. The functionality of the Outlook Email Security Update is
included in Outlook 2002 and Outlook Express 6.
Render email in plain text
Configure email client software (mail user agent [MUA]) to render
email messages in plaint text. Instructions to configure Outlook 2002
and Outlook Express 6 are available in Microsoft Knowledge Base
Articles 307594 and 291387, respectively. HTML-formatted email
messages may not appear properly, however script will not be
evaluated, thus preventing certain types of attacks.
Maintain updated antivirus software
Antivirus software with updated virus definitions may identify and
prevent some exploit attempts. Variations of exploits or attack
vectors may not be detected. Do not rely on antivirus software to
defend against this vulnerability.
Use a different web browser
There are a number of significant vulnerabilities in technologies
relating to the IE domain/zone security model, the DHTML object model,
MIME type determination, the graphical user interface (GUI), and
ActiveX. It is possible to reduce exposure to these vulnerabilities by
using a different web browser, especially when browsing untrusted
sites. Such a decision may, however, reduce the functionality of sites
that require IE-specific features such as DHTML, VBScript, and
ActiveX. Note that using a different web browser will not remove IE
from a Windows system, and other programs may invoke IE, the
WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).
Systems Affected
Vendor Status Date Updated
Microsoft Corporation Vulnerable 10-Sep-2004
References
http://www.cert.org/tech_tips/malicious_code_FAQ.html
http://www.kb.cert.org/vuls/id/525089
http://www.kb.cert.org/vuls/id/413886
http://www.guninski.com/popspoof.html
http://www.doxdesk.com/personal/posts/bugtraq/20030713-ie/
http://msdn.microsoft.com/workshop/author/om/doc_object.asp
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/createpopup.asp
http://xforce.iss.net/xforce/xfdb/7313
http://secunia.com/advisories/12048/
http://securitytracker.com/alerts/2003/Jul/1007190.html
http://www.securityfocus.com/bid/8176
Credit
Thanks to Georgi Guninski and Andrew Clover for reporting this
vulnerability.
This document was written by Will Dormann and Art Manion.
Other Information
Date Public 10/21/2001
Date First Published 09/10/2004 03:09:38 PM
Date Last Updated 10/27/2004
CERT Advisory
CVE Name CAN-2001-1410
Metric 31.92
Document Revision 60
--
Jose Manuel Tella Llop
MVP - Windows
(e-mail address removed) (quitar XXX)
http://www.multingles.net/jmt.htm
Este mensaje se proporciona "como está" sin garantías de ninguna
clase, y no
otorga ningún derecho.
This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.