In association with heise online

27 June 2008, 13:12

Ghostly threat to Internet Explorer users

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft certainly never imagined anything like this. A talk given behind closed doors at the Microsoft BlueHat Security Briefing revealed a huge security problem in Internet Explorer. Presenter Manuel Caballero demonstrated a far-reaching espionage tool that can trap users who are merely visiting a web site. His spooky summary read: "Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf – even after changing the URL 1,000 times. And this ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move."

The limited information about this presentation that leaked out was enough for some security specialists to reconstruct the puzzle piece by piece. Clearly, the attack involves an infringement of the cross domain policy that ensures that web sites can't read user input to other sites. A published screenshot of the demo revealed that iframes were involved. The rest required a bit of experimentation.

There are now several demos that show how to break through the barriers separating domains in order to implement Caballero's espionage functions. A Chinese group by the name of Ph4nt0m demonstrates how to circumvent security checks while accessing the window location property. This prompted US-CERT to issue a security warning about Internet Explorer Version 6. The method presented there doesn't work with IE 7.

Heise Security in IE7
Zoom The red IFRame captures all keyboard input

Eduardo Vela demonstrates that even Microsoft's new browser generations are not immune to such problems. He found out that, in order to circumvent protective measures when accessing location, all you need do is make a string look unlike a string. He used this approach to implement a simple demo with a primitive keylogger that he claims also works with IE7 and the beta versions of IE8. And sure enough, after we went to his demo URL in Internet Explorer 7 on a test system, his code persistently followed us across many sites and snooped on what we were doing. Even after we typed in a heise URL by hand and went to it, his "Caballero Listener" picked up all our keyboard input and displayed it in a stolen IFrame.

The demos may not look particularly impressive, but they certainly are. If you take into account that hundreds of thousands of sites are compromised right now, the implication is that you'd better not use Internet Explorer to visit any more important sites. The professional software developers behind web attack toolkits such as MPack are undoubtedly able to exploit these holes for their own purposes, and criminals are increasingly infiltrating benign web sites to launch attacks on users.

Whether changing over to alternative browsers such as Firefox gives any real protection is still to be shown. Security expert Nate McFeters has seen the original "ghosts" presentation and claims in his blog that the problem affects all browsers. It could be that much more is waiting to be revealed. We can however safely assume that a combination of Firefox with the NoScript add-on offers reduced exposure to such attacks.

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-736317
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit