I’ve been on the road and had a little registry crapout (makes me feel all warm and fuzzy about the “all stick and no carrot” release of Vista), so I’ve been postponing the upgrade to IE7 until I’ve had a chance to get home and restore from backup. Right now I actually feel pretty fortunate that I’ve been unable to upgrade.
Is anyone surprised that a security vulnerability has been reported for IE7? This site claims that there is some sort of cross domain vulnerability in IE7. Reading the code a bit, it looks like the back end site can redirect an XHR request to a site of it’s choice using a 302 HTTP redir. Why is this a security vulnerability? Imagine that you work for Goldman Sachs and you are accessing a nifty social bookmarking site villa.ino.us. This site makes an XHR request that redirects you to intranet.gs.com, or whatever the super secret internal intranet is. With a little bit of cleverness, you can adapt some of the http vulnerability scanning scripts to make use of this hole.
Scary business. This hole needs to be closed and quick.
Update: Looks like the actual attack vector is Outlook Express, not IE7. Still a problem, just a different source.
Pardon me because I am not following completely. So let’s say villa.ino.us is malicious. You visit it and it redirects you to intranet.gs.com. Now what?
In the scenario you gave, is “you” a malicious entity or is villa.ino.us a malicious one? I find the topic interesting, but please elaborate. Thanks
Kevin Hoang Le
@Kevin
Ha, a really interesting question you’ve rised! Technically, villa.ino.us is guilty, but before it even reveals, you’d be fired from Goldman Sachs.
Sorry Kevin, the idea is that an XHR is redirected to intranet.gs.com. The response text is sent back via another XHR to the original malicious site. The malicious server can then parse the HTML from the intranet.gs.com site, capture confidential information, find other links and then do the usual crawl and exploits against web applications by pushing actions to the browser via the usual Ajax async update.
As it turns out the exploit is real, but the root cause may not be IE7 but Outlook Express instead.