The bug is specific to Internet Explorer, and still seems unfixed (in stable versions) at the time of writing. I told Microsoft about it back in 2008. Therefore this disclosure is not an 0-day, but more like a 600-day.
The bug is pretty simple: IE supports a
window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror handler and then uses <script src="http://www.bank.com/">. We'll demonstrate the consequence of this later.The bug has a very interesting history, which is worth briefly outlining here:
- 2006: Possible original discovery of theft of sensitive data aspect, credit Filipe Almeida.
- Dec 2006: Jeremiah Grossman demonstrates login determination by profiling cross-origin error messages: http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html.
- Unknown, 2007?: Firefox fixes the issue.
- Dec 2008: I discover that a redirect bypasses the Firefox protection: http://scarybeastsecurity.blogspot.com/2008/12/firefox-cross-domain-text-theft.html. It is fixed pretty quickly.
- Dec 2008: Michal Zalewski notes that my Firefox demo works verbatim in IE. Microsoft informed.
- Oct 2010: full disclosure of Internet Explorer variant.
'blah' is not defined.So if the cross-origin text looks like a Javascript variable reference, then the attacker has a very useful leak!
Here is a proof-of-concept against Google Reader, which works by stealing cross-origin content which happens to be an anti-XSRF token:
http://scary.beasts.org/misc/reader.html
As it happens, the Reader product deployed a change which detects the vulnerable User-Agent string (Internet Explorer) and uses a workaround. So the PoC is neutered. This is a shame because the PoC used to force your friend to subscribe to a goat-farming feed against their will. For now, you'll have to locate an alternate attack vector for this vulnerability -- do let me know what you find via a comment.
It's worth closing with some notes that this area is ripe for further research. There are a varied number of text structures which can be stolen (iteratively if necessary) with this trick:
- a,b,c -- i.e. the CSV syntax
- The b in a:b
- a.b.c
- The b in {a:b}
- Expression constructs such as a/b/c
- Constructs like the above, if wrapped in () or [] etc.
http://scary.beasts.org/misc/onerr.html
(Only works in browsers with window.onerror, such as IE).
Please leave a comment if you have more constructs which can be stolen; or more examples of sites where stuff can be stolen from.
3 comments:
Just to be clear: does this vulnerability affect all versions of IE, including 9-preview, or are MS only refusing to expend the effort on "obsolete" versions of IE?
@Rebecca: I believe it's fixed in IE9 preview although I have not confirmed myself. This does not help the majority of IE users, who will be surfing using the supported versions 6, 7 and 8.
@Chris: No, and it'll screw 2K users (they still exist, and I still support some) and XP users (truckloads). I know. I was just wondering if this was the increasingly-usual stance of, "Well, I *guess* we'll fix it, since we're putting new code out. But only in the one new version."
I realize they have to be able to prioritize to some extent, but I'm wicked tired of hearing that something is a "low-risk" vulnerability, and as such doesn't deserve fixing. Ever.
I could see three tiers: 1) OoC release, 2) Patch Tuesday, 3) 2-3 Patch Tuesdays. But apparently the third tier is actually "whenever, if ever; probably never".
Coming at the same time as today's publicity of slipping IE and specifically IE8 marketshare, it feels like Microsoft is abandoning IE, for all that they "put the team back together".
Post a Comment