Re: [Full-disclosure] Phishing using IE7 local resource vulnerability



Hi Robert,

Protected Mode and UAC are different security features.
But even though, it is possible to access local resource ("res://") links
with Protected Mode and UAC features enabled. You can test it yourself here:
http://www.raffon.net/research/ms/ie/navcancl/cnn.html or watch the demo
video here: http://raffon.net/videos/ie7navcancl.wmv.
The only way to mitigate this vulnerability by an out-of-the-box security
feature is to set the security level of the "Internet Zone" to "High". This
will disable "javascript:" links, so the user will not be able to click the
"Refresh the page." link in the navcancl.htm local resource page.
But, I doubt anyone will do that when they can simply just avoid clicking
any link in the "Navigation Canceled" page.

--Aviv.

-----Original Message-----
From: robert@xxxxxxxxxxxxxxxxxxxxxxxxxx
[mailto:robert@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Thursday, March 15, 2007 5:13 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Phishing using IE7 local resource vulnerability

This appears to be mitigated in Vista by Protected Mode, which is on by
default, and denies access to local resources. If people decide to disable
UAC, they must accept the potential risks that come with it, such as this
XSS attack. I appreciate that this is a valid risk for XP.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • RE: Phishing using IE7 local resource vulnerability
    ... Protected Mode and UAC are different security features. ... Phishing using IE7 local resource vulnerability ...
    (Bugtraq)
  • Re: Windows 7, another Windows Vista?
    ... The decision to prompt for UAC settings changes is particularly telling. ... The prompts may be security theater, but Protected Mode isn't, and it's a good thing that application developers are not requiring administrator access so much. ... I recall a Channel 9 video where they went through all the services that start at OS launch, and made all they could launch on first use. ...
    (comp.sys.mac.advocacy)
  • Re: [Full-disclosure] Phishing using IE7 local resource vulnerability
    ... Protected Mode and UAC are different security features. ... Note that I didn't try blocking the specific resource involved in the ... change blocks scripts in ANY resource, ...
    (Full-Disclosure)
  • Re: Kleine Sendungen
    ... Auch wenn die UAC ein Kasperltheater ist, so hat sie doch ihren Zweck ... In a Microsoft TechNet blog post, Russinovich explained that Vista features ... such as UAC or Protected Mode Internet Explorer that are dependent on limited ... Also doch keine "Sicherheitsfeatures" sondern nur dummes Kasperltheater, ...
    (de.comp.security.misc)
  • Re: Vista has broken my SHDocVW
    ... built-in Big-Brother, er, I mean security features. ... difference although I haven't tried disabling the UAC yet. ... UAC off and surprise surprise the code now works fine. ...
    (microsoft.public.excel.programming)