News and Events Archive

An undocumented property in Internet Explorer's <frame> and <iframe> elements exposes users to a critical vulnerability.

Once again, an attacker is able to read personal cookies and content from any site, forge content on any URL, read local user files and even execute programs on the user's machine.

Both Internet Explorer 5.5 SP2 and Internet Explorer 6 are vulnerable, but surprisingly this vulnerability does not exist in IE6 SP1. It's hard to believe that Microsoft actually meant to plug it, as IE5.5 remains vulnerable, yet somehow this stray property had been fixed in IE6 SP1.

Read all about it and see if you're vulnerable using our online demonstrations.

Internet Explorer does it again. This time, sites that use frames or iframes are exposing their users to attacks.

We discovered that it is possible for an attacker to execute script on any site that contains a frame or iframe element, ignoring any protocol or domain restriction set forth by Internet Explorer. This means that with little effort, an attacker is able to read local files, execute arbitrary programs, steal cookies, forge site content and more.

Read the details and test it yourself using our demonstrations.

UPDATE: IE6 SP1 caused the "Program execution" and "Local file reading" demonstrations to not function. They stopped functioning because SP1 blocks links to res:// and file:// URLs and not because Microsoft fixed the core vulnerability (this could have been verified by running the first and second demonstrations).

We have now revised both demonstrations to circumvent the block, and it is again possible to read local files and execute programs, even with IE6 SP1.

Our 9th Internet Explorer security advisory has been released. This time the culprit is an old XML feature, kept for the sake of backwards compatibility since IE4. It may allow access to remote and local content.

It was reported to Microsoft in February this year and was finally patched today, read MS02-047 for more information.

The patch also includes Microsoft's second attempt to fix the dialogArguments issue, this time it appears to be successful.

After 4.5 months of waiting for a fix, Microsoft finally released a security update for OWC today, which addresses the vulnerabilities we publicly disclosed on 08-Apr-2002.

Read what Microsoft has to say and download the patch from MS02-044.

UPDATE: The "Kill Bit" was not set for the vulnerable OWC version. This means that an attacker can easily reintroduce the old OWC, properly signed by Microsoft, and gain complete access to the vulnerabilities we found. And unlike Microsoft claims, it's not that easy to notice it install itself, an attacker can open an off-screen window that will silently install OWC without the user knowing.

This is a fundamental problem in the patch and it renders it quite useless for users who set their IE to trust content from Microsoft or users that tend to click "Yes" when they see controls signed by Microsoft.

GreyMagic released its 12th security advisory today. The popular Google toolbar component was found to have multiple severe vulnerabilities. Some of them are: executing programs, reading local files, hijacking the toolbar and more. Read the full advisory and check out the demonstrations.

We added another demonstration to our GM#001-AX advisory. This one shows how it is also possible to read any local file using this vulnerability.

In other news, we plan to release three new advisories during August and September, two of them very critical. We will also implement a new design for the site during these months along with a little re-organization.

GreyMagic's first Opera advisory has been released today. The vulnerability allows for a web page to download any local file directly from the user and does not require any interaction. This vulnerability is currently the most devastating one found in Opera. Read the full advisory and test your browser.

After further testing of Microsoft's new cumulative patch, we learned that the patch for our GM#004-IE advisory (Reading portions of local files) is extremely weak and can be easily circumvented in some systems. This shouldn't come as a surprise after Microsoft's failure to correctly patch the dialogArguments issue.

GM#004-IE has been revised to demonstrate how easily Microsoft's new protection can be bypassed.

Microsoft released a cumulative patch yesterday, which, among other issues, allegedly patches the dialogArguments vulnerability. Unfortunately, it seems like Microsoft did not understand the vulnerability and only patched a symptom of it. Therefore, the demonstration in our appendix still works on "patched" IE versions.

Mozilla's implementation of XMLHTTP contains a severe vulnerability that may give malicious web sites full read access to a victim's file system. Read the full advisory and test your browser.

Yet another vulnerability in MSIE has been uncovered. It was first thought to only affect MSIE 6, but our research showed that MSIE 5 and 5.5 are also vulnerable. Read the details and see if you're vulnerable.

Office Web Components, which are installed by default with Microsoft Office, contain several vulnerabilities that can be exploited in MSIE. The most severe of them allows a malicious web site to read any local file. The other vulnerabilities allow an attacker to spy on a victim's clipboard, Execute script commands even if the victim disabled it and also find out if certain files exist on the victim's file system.