Overview
» IDS/IPS Signatures
Security Sites
Products
White Papers
Data Sheets
Case Studies
Support Login
Locate a Partner
iPolicy Networks Security Advisory
 

Microsoft IE location and location.href Cross Domain Security Bypass Vulnerability
Date Discovered: 10/14/2008
Severity: High
Operating Systems Affected: Microsoft Windows 2000 SP4
Microsoft Windows XP SP2
Microsoft Windows XP SP3
Microsoft Windows XP Professional x64
Microsoft Windows XP Professional x64 SP2
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003 SP2
Microsoft Windows Server 2003 x64
Microsoft Windows Server 2003 x64 SP2
Microsoft Windows Vista
Microsoft Windows Vista SP1
Applications Affected: Internet Explorer 5.01
Internet Explorer 6 
Internet Explorer 6 SP1
Internet Explorer 7
Synopsis
Microsoft Internet Explorer is prone to a cross-domain scripting security-bypass vulnerability because the application fails to properly enforce the same-origin policy.
Recommended Actions
Update the patches as guided by vendor at :
http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx
Threat Analysis
Microsoft Internet Explorer could allow a remote attacker to bypass cross-domain security restrictions, caused by an error in the location and location.href property of a window object. Internet Explorer incorrectly interprets the origin of script, allowing it to run in the context of a domain or Internet Explorer security zone other than where it originated.

An attacker could exploit this vulnerability to possibly perform cross-site scripting attacks and launch further attacks on the vulnerable system.
References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2947
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3472
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3473
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3474
http://www.securityfocus.com/bid/29960/discuss

Write-up by: Aditya Chaturvedi
Security Sites
 
“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”
 
Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner
 

 
Home | About Us | Products | Technology | Solutions | Support | Partners | News & Events | Resources | Contact Us
Copyright ©2008 iPolicy Networks - Security Products Division of Tech Mahindra Limited | Privacy Policy | Site Map