14 DAY TRIAL // Whether you believe in ghosts or not is irrelevant from a browser point of view. The matter is that you'd better start believing because Microsoft's browsers allow "ghosts" to take more than a peek over your shoulder, in fact, it permits them to see and register every move associated with the browsing process. Secunia has published an advisory titled "Internet Explorer 7 Frame Location Handling Vulnerability" warning of the risks faced by IE users, but not only IE7 is affected. Exploits have also been tested with success on IE6 and even on IE8 Beta 1. And to top it all off, a sample proof of concept is available in the wild.
Apparently, the issue has been brought to Microsoft's attention at the company's exclusive BlueHat Security in spring 2008 behind closed doors. "Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move," reads a fragment from the session description of Manuel Caballero, Independent Security Researcher.
Initially, the security flaw was demonstrated only on Internet Explorer 6 and 7, but Sirdarckcat made available a sample PoC affecting Internet Explorer 8 Beta 1 and IE7.5730. The proof of concept permits the hijacking of IE6 and IE7 frames and enables the capturing of user keystrokes. Every key the user presses, be it for login into a web account, including the username and the password, and down to the credit card number and other sensitive information, will be registered.
"No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts," Caballero added.
Microsoft has yet to comment on the matter or to issue a fix designed to protect Internet Explorer users. However, the issue is pressing, to say the least, as IE6, IE7 and IE8 beta 1 are all vulnerable, and proof of concept code is publicly available.
"Microsoft Internet Explorer fails to properly restrict access to a document's frames. This can allow an attacker to replace the contents of a web page's frame with arbitrary content. Internet Explorer still appears to enforce the cross-domain security model, which limits the actions that a malicious frame can take with the parent document. For example, a frame that exists in a different domain should not be able to access the parent document's cookies or HTML content, or other domain-specific DOM components. However, components that are not tied to a specific domain, such as the onmousedown event [sic]. By monitoring this particular event, an IFRAME can capture keystrokes from the parent document. Other actions may be possible," reads the official description of the flaw from US-CERT.