There exists a vulnerability in Microsoft Internet Explorer that can allow for a violation of the same origin policy. In modern browsers, script code executing in the context of one website should not be able to access the properties of another. This is a security feature known as the 'same origin policy', and it is put in place to prevent malicious websites from interacting with and possibly stealing sensitive information from others in different windows. When one website ('parent') opens another website in a new window ('child') using the document.Open() method in vulnerable versions of MSIE, it is possible for script code in the parent to interact with properties of the child. This violation of the 'same origin policy' is a severe security vulnerability. There are many ways that an attacker could exploit this vulnerability. Attackers can construct websites that, for example: - Steal cookies associated with arbitrary websites. - Perform actions on different websites through...
There exists a vulnerability in Microsoft Internet Explorer that can allow for a violation of the same origin policy. In modern browsers, script code executing in the context of one website should not be able to access the properties of another. This is a security feature known as the 'same origin policy', and it is put in place to prevent malicious websites from interacting with and possibly stealing sensitive information from others in different windows. When one website ('parent') opens another website in a new window ('child') using the document.Open() method in vulnerable versions of MSIE, it is possible for script code in the parent to interact with properties of the child. This violation of the 'same origin policy' is a severe security vulnerability. There are many ways that an attacker could exploit this vulnerability. Attackers can construct websites that, for example: - Steal cookies associated with arbitrary websites. - Perform actions on different websites through script code (for example, may be possible to delete mail on a webmail system). - Transmit the contents of local files (parseable as type text/html) to attacker-controlled webservers. - Write to windows containing different websites, effectively 'spoofing' the content. This is probably the most serious consequence, as trusted websites can be replaced with entirely attacker-created HTML. - Access other objects through MSIE, such as MSN contacts. ** UPDATE ** : There have been reports of a worm-like exploit for this vulnerability in the wild. The exploit is triggered by a malicious webpage. When a victim visits the site, this vulnerability is allegedly exploited to send messages to all users in the user's MSN contact list. The messages contain links to the malicious site. It is through these messages that users are being exploited (it could be said that the exploit is 'propagating', however it is believed that the victim must click on the link and visit the site). To avoid exploitation, do not click on any links in a message similar to this: '"Go To http://www.masenko-media.net/cool.html NoW !!!"' A safe practice is to not click on links in instant messages at all. The link listed previously at the time of this update did not contain the exploit. This does not mean that it cannot appear elsewhere. Users are advised to be cautious while using MSN and visiting unknown websites.
