Trouble in Internet Explorer 8 Beta 1

Written by IT News on 1:20 AM

Whether believe in Ghosts or not is irrelevant in terms of browser. Question is you want better project because believing, Microsoft's browsers allow "Ghosts' to peek take more of your shoulder during in reality, it see allows you register every turn, linked with the process of browsing. Secular published an advisory titled "Internet Explorer 7 spot Frame Handling Vulnerability" warning of the risks faced by IE users, but not limited IE7 is affected. Used also tested with success on IE6 and even IE8 Beta 1. And in the beginning everything off, sample proof of concept to be found in the wild.

Indeed, the issue is brought to the attention of Microsoft company exclusively BlueHat security in the spring of 2008 behind closed doors. "Do you think we believe in Ghosts? His invisible tacit, that script you while you browse, even after changing the URL 1000 times and feels completely safe. Now imagine that the ghost is able to see everything we do, including and what are surfing and what type (passwords included), and even to guess his next move, "reads a fragment of the session description of Manuel Caballero, an independent security researcher.

Initially, the security flaw is proven only for Internet Explorer 6 and 7, but Sirdarckcat provide sample ISSUE affecting Internet Explorer 8 Beta 1 and IE7.5730. The proof of concept allows the seizure of IE6 and IE7 frames and enables the user to download keys. Each user presses a key, whether to enter the Internet, including the username and password, and determining the number of credit card and other sensitive information will be registered.

"No downloading is required, without user verification, not ActiveX. In other words: no strings attached. We will examine the possibilities of the script and staying power of a global domain. We will also go through the steps on how to find more domains and resident scripts, "Caballero added.

Microsoft has not yet comment on the matter or issue a fix intended to protect Internet Explorer users. However, the problem is pressing, to say, at least since IE6, IE7 beta 1 and IE8 are vulnerable, and proof of concept code was publicly available.

"Microsoft Internet Explorer fails to properly restrict access to documents frames. This may allow an attacker to replace the contents of a web page framework, with arbitrary content. Internet Explorer continues to appear for the purpose of more domain security model, which limits the actions that a malicious frame may take a parent document. example, a framework that exists in different domains will not be able to access the parent document cookies or HTML content, or other domain HOME specific components. However, the components that are not tied to a specific domain, as onmousedown event [sic]. observation In this particular case, one IFRAME to capture the keys of the parent document. Other actions may be possible, "reads the official description of the shortcoming of the US-CERT.