> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Your subject makes it sound like this is a spoofing vulnerability when in fact this is expected functionality that has been around since Netscape 2 and IE3 which does not grant additional privileges of any kind and requires the user to activate WindowsUpdate from your site. > Here's a quick and dirty demo injecting malware.com into > windowsupdate.microsoft.com :) > http://www.malware.com/targutted.html Your script opens a new window and then uses a timer to change the location of whatever window object has focus. This does not switch security zone or even protocol, all it does is to load your site into a subframe of another site. You can accomplish the exact same without trying to 'trick' anything by using the following 2 lines: W=window.open("http://v4.windowsupdate.microsoft.com"); W.frames[2].location.href = "http://pivx.com/"; This is no different than loading WindowsUpdate in a frame on your own site. It has always been standard practice that you can change, but not read, the location of any window object to a site from the same protocol and security zone. A frame is a window object and all window objects are safely exposed because they by themselves does not reveal any information about the site inside the frame. You can get a handle of any window object to any depth because the frames collection is also safely exposed. This does not give you any kind of access to the document object inside, which would be necessary for any kind of code injection or cookie theft. Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 29, 2004 11:41 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: SUPER SPOOF DELUXE Re: [Full-Disclosure] Microsoft and Security Thomas Kessler was kind enough to inform that this is not new, but in fact on old "issue" with Internet Explorer which by all accounts was supposed to be "patched" back in 1998[?]: Microsoft Security Program: Microsoft Security Bulletin (MS98- 020) Patch Available for 'Frame Spoof' Vulnerability http://www.microsoft.com/technet/security/bulletin/ms98-020.mspx Quite clearly this contraption known as Internet Explorer is just broken. It's oozing pus from every pore at this stage. If indeed the issues are the exact same. You'd better wipe hands of it anyway. We give up. -- http://www.malware.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html