Friday, June 27, 2008 6:48 PM
cmosby
Internet Explorer 7 Frame Location Handling Vulnerability - Secunia - 6/27/08
Internet Explorer 7 Frame Location Handling Vulnerability
Secunia Advisory:
SA30851
Release Date:
2008-06-26
Critical:
Moderately critical
Impact:
Security Bypass
Spoofing
Where:
From remote
Solution Status:
Unpatched
Software:
Microsoft Internet Explorer 7.x
Description:
sirdarckcat has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct spoofing attacks.
The problem is that it is possible for a website to modify the location of another frame in another window by setting the location to an object instead of a string. This can be exploited to load malicious content into a frame of a trusted website.
This may be a variant of:
SA11966The vulnerability is confirmed in IE7. Other versions may also be affected.
Solution:
Do not visit or follow links from untrusted websites.
Provided and/or discovered by:
sirdarckcat
Original Advisory:
http://sirdarckcat.blogspot.com/2008/05/ghosts-for-ie8-and-ie75730.htmlhttp://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.htmlOther References:
GNUCITIZEN:
http://www.gnucitizen.org/blog/ghost-busters/SA11966:
http://secunia.com/advisories/11966/
Filed under: Security and Anti-Virus, Patch Management, Browser Wars, Internet Explorer, Software Vulnerabilites