Re: IE URL obfuscation

From: Josh Tanski (mortonjt_at_ROCHESTER.RR.COM)
Date: 12/10/03

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "New Security resources at Microsoft"
    Date:         Wed, 10 Dec 2003 13:36:57 -0500
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Ran some real quick tests with a fully patched IE6.0 on W2K:

    If you put www.microsoft.com in the Trusted Sites Zone, when you try the
    exploit at http://www.zapthedingbat.com/security/ex01/vun1.htm, IE still
    displays the icon for the Internet Zone.

    However, if you put www.zapthedingbat.com in the restricted sites (and
    enable active scripting...), when you run the exploit url, IE displays the
    Internet Zone icon instead of the restricted sites zone icon.

    Same thing if you put it in www.zapthedingbat.com in Trusted Sites or Local
    Internet, it seems to always run in the Internet Zone. So it does not
    appear to be able to be used to spoof better trust than the Internet Zone.
    Anyone confirm/deny this? I didn't try recreating the exploit for myself to
    see if scripts/activex could actually be run that shouldn't be.

    Josh

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "New Security resources at Microsoft"