In association with heise online

16 May 2008, 11:45

Security hole in Internet Explorer allows attackers to execute arbitrary programs

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Aviv Raff has discovered that arbitrary programs can be executed when crafted web pages are printed in Internet Explorer. The vulnerability is based on a cross-zone scripting hole allowing web pages to execute code in the local zone instead of the internet zone. However, user intervention is required.

Raff has created a sample page to demonstrate the hole. The web page calls the Windows computer if the user prints it using the "Print Table of Links" feature. It is irrelevant whether the user allows the execution of active content as warned by IE. heise Security was able to reproduce the behaviour in Windows XP SP2 with all current patches and Internet Explorer 7.

Do not print this page!
Zoom Although IE issues a warning before executing active content, it can be executed silently when printing link tables.

When users print a page in IE, the browser uses a local script which generates a new HTML file to be printed, explains Raff. The HTML contains a header, the web page body, a footer – and, if enabled, also the table of links in the web page. However, the script does not check the URLs contained in the links, adding them to the new HTML file as presented without any filtering. In Internet Explorer, most local scripts run in the internet zone, but the printing script runs in the Local Machine Zone. This opens up the security hole, allowing any injected JavaScript to execute arbitrary code on the user’s machine. By embedding specially crafted links in a web page, and with a little social engineering to get visitors to print the page containing the link table, attackers can therefore inject arbitrary code on users' computers. According to Raff, the vulnerability affects not only IE 7 but also the beta version of IE 8.

While the vulnerability allows code to be executed under Windows XP, Windows Vista with activated User Account Control (UAC) only allows attackers to spy out information, explains Raff. Older versions may also be affected by the problem. Users are advised to refrain from printing web pages with link tables until Microsoft has released a patch.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit