- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Windows Vista Sidebar RSS Feeds Gadget Cross Site Scripting
Vulnerability
------------------------------------------------------------------------
SUMMARY
The
<http://www.microsoft.com/windows/products/windowsvista/features/details/sidebargadgets.mspx> Vista sidebar is "a desktop extension that allows the user to keep a number of "gadgets", which are mini-applications, running in constant view on the desktop. Vista provides a number of default gadgets, such as a calendar, a weather tool, and an RSS feed reader".
RSS feeds allow a content provider, such as a website, to let others
receive a stream of "headlines" describing content on the provider's site.
The feeds are often updated frequently, and allow a user to receive
information from a site without having to visit it. For example, a user
may subscribe to a news feed that updates every hour with the headlines of
top news stories. In order to subscribe to a feed, a user needs a feed
reader. Modern browsers, such as Internet Explorer, provide a feed reader
within the browser.
Remote exploitation of a Cross Site Scripting (XSS) vulnerability in the
Windows Vista Sidebar RSS Gadget allows an attacker to execute arbitrary
code with the privileges of the logged in user.
DETAILS
Vulnerable Systems:
* Microsoft Windows Vista Business
A vulnerability exists within the parsing of the certain elements of the
items in an RSS feed. A properly crafted HTML tag within these elements
will not be removed, and will be rendered by the RSS gadget. Since the RSS
gadget runs in the local zone, the injected JavaScript has full access to
the system.
Analysis:
Exploitation of this vulnerability will result in the execution of
arbitrary code with the privileges of the user running the RSS gadget. In
order to exploit this, an attacker can inject JavaScript that will
download and execute a malicious binary.
The RSS gadget runs by default, but does not display any feeds unless a
user subscribes to them. As such, a user must be receiving data from a
malicious feed in order to be attacked.
In the most common scenario, this requires some form of social engineering
to convince a user to subscribe to a malicious feed. There is no way to
add a feed by simply clicking a link. The user must click the 'Subscribe
to this feed' button displayed when visiting a feed in Internet Explorer.
After adding the feed, exploitation will occur once the gadget attempts to
display the feed.
Another attack vector that requires significantly less social engineering
requires an attacker control a trusted feed. If an attacker can find some
way to inject data into a trusted feed then they will be able to exploit
any subscribers to the feed.
Workaround:
iDefense is currently unaware of any workarounds for this issue.
Vendor reponse:
Microsoft has addressed this vulnerability within MS07-048. For more
information, consult their bulletin at the following URL.
<http://www.microsoft.com/technet/security/Bulletin/MS07-048.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS07-048.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3033>
CVE-2007-3033
Disclosure Timeline:
03/21/2007 - Initial vendor notification
03/21/2007 - Initial vendor response
08/14/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=575>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=575
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment