Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > June 2006 > US-CERT Vulnerability Note VU#883108 Microsoft Internet Explorer HTML Document object cross-domain vulnerability

June 2006

US-CERT Vulnerability Note VU#883108 Microsoft Internet Explorer HTML Document object cross-domain vulnerability

ID: 00448
Ref: 435/2006
Date: 29 June 2006:14:26:07
Version: 1
Title: US-CERT Vulnerability Note VU#883108 Microsoft Internet Explorer HTML Document object cross-domain vulnerability
Abstract: Microsoft Internet Explorer contains a cross-domain vulnerability in how it handles redirected object data. This could allow an attacker to access the content of a web page in a different domain.
Vendors affected: US CERT
Operating systems affected: US CERT
Applications affected: US CERT
Title
=====

US-CERT Vulnerability Note VU#883108
Microsoft Internet Explorer HTML Document object cross-domain vulnerability

Detail
======

Overview

Microsoft Internet Explorer contains a cross-domain vulnerability in
how it handles redirected object data. This could allow an attacker
to access the content of a web page in a different domain.

I. Description

The Cross-Domain Security Model

IE uses a cross-domain security model to maintain separation between
browser frames from different sources. This model is designed to
prevent code in one domain from accessing data in a different domain.
The Internet Security Manager Object determines which zone or domain
a URL exists in and what actions can be performed. From Microsoft
Security Bulletin MS03-048:

One of the principal security functions of a browser is to ensure
that browser windows that are under the control of different Web sites
cannot interfere with each other or access each other's data, while
allowing windows from the same site to interact with each other. To
differentiate between cooperative and uncooperative browser windows,
the concept of a "domain" has been created. A domain is a security
boundary - any open windows within the same domain can interact with
each other, but windows from different domains cannot. The cross-domain
security model is the part of the security architecture that keeps
windows from different domains from interfering with each other.

The HTML Document object

The HTML Document object provides the core HTML rendering functionality
of the Internet Explorer web browser. This object is provided by the
file mshtml.dll. A web page can make use of the HTML Document object
as an ActiveX control by using the tag.

The problem

The HTML Document object fails to enforce the cross-domain security
model when it encounters an HTTP redirect.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g.,
a web page or an HTML email message), an attacker may be able to
obtain access to web content in another domain. The impact is similar
to that of a cross-site scripting vulnerability. For a more detailed
description of the impact of cross-site scripting vulnerabilities,
please see CERT Advisory CA-2000-02.
http://www.cert.org/advisories/CA-2000-02.html#impact

III. Solution

We are currently unaware of a practical solution to this problem.

Disable ActiveX

This vulnerability can be mitigated by disabling ActiveX, as specified
in the "Securing Your Web Browser" document.

Systems Affected

Vendor Status Date Updated
Microsoft Corporation Vulnerable 28-Jun-2006

References

http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj
http://secunia.com/advisories/20825/
http://isc.sans.org/diary.php?storyid=1448&rss
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3

Credit

This vulnerability was publicly disclosed by Plebo Aesdi Nael.

This document was written by Will Dormann.
Other Information
Date Public 06/27/2006
Date First Published 06/28/2006 03:17:02 PM
Date Last Updated 06/28/2006
CERT Advisory
CVE Name
Metric 11.34
Document Revision 6
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |