RSSThree-year-old JavaScript Bug Continues to Plague IE7
By Scott M. Fulton, III | Published February 27, 2007, 3:37 PM
Last Friday, Polish researcher Michal Zalewski reported discovering an interesting little JavaScript trick that keeps a user stuck on a Web page even though he's trying to navigate somewhere else. His discovery involves the simple use of a JavaScript event to make it appear as though a browser is displaying any particular URL, when it's not.
When the exploit works, the onunload() event triggers the execution of JavaScript code the moment the user exits a Web page - which is how this JavaScript event is designed to work. But from there, the exploit would write information to the Web page without changing the contents of the address bar, potentially enabling a phisher to drop genuine-looking contents into a page to fool the user into thinking he's on a legitimate site.
Of course, the code itself would need to be attached to a page whose authenticity can't be questioned even though the event code hasn't been run yet. That's a tricky maneuver unless the HTML framework is being run by an e-mail client whose JavaScript interpreter is enabled.
In BetaNews tests of Zalewski's test page in IE7 on multiple Windows machines, including two XP-based systems and one Vista-based Virtual PC-driven environment, the test page failed to spoof a Web site effectively when the user attempts to exit the page by clicking on a link in IE7's Links toolbar or Favorites list. While the user is still stuck on the test page, the address bar continues to read the test page's address.
However, when an address is typed manually into the IE7 address bar, the user remains stuck on the Web page while the address bar continues to read what the user typed. If the user tries clicking Links or Favorites again, the page remains stuck, and the address bar continues to show what the user typed. Apparently, when IE7 allows JavaScript to process the onunload() event, it does not change the contents of the address bar - it continues to show whatever it did before.
 | That's not BetaNews! No, it's Michal Zalewski's trap, which appears to have effectively snarled Internet Explorer 7 in Windows Vista. |
Conceivably, rather than keeping the user stuck on the test page, embedded code in a working exploit could direct the user to several false locations under the auspices of a legitimate site. But to cajole a user into believing the legitimacy of a document that directs him to type an address directly into the address bar rather than click a link is a tall order, which is probably why security firms such as Secunia are rating the vulnerability level of this bug as "less critical."
BetaNews tests of Firefox version 2.0.0.2 (the recently patched edition) in both Windows XP and Vista showed its behavior somewhat different - perhaps a little awkward, but still preventing exploitability. When running the same, unmodified JavaScript code that traps the IE7 user, instead of displaying the content of the test page, Firefox clears the page and leaves it blank. Meanwhile, its address bar reads the legitimate address of the site the user chooses, whether he types it into the address bar manually or clicks on his Links toolbar or Bookmarks pane.
Sometimes the Firefox browser window does remain stuck on the blank page and sometimes it does not. Exactly why this behavior only happens occasionally has not yet been determined.
So while the trick can't be used to spoof an address for a Firefox user, it could conceivably be used as a nuisance ploy - a dull one, but a nuisance nonetheless. Yesterday, Mozilla acknowledged the event handler bug, stating it had already been fixed in version 2.0.0.2, posted earlier this week.
Our research turned up instances of security researchers having discovered essentially the same problem with the onunload() event in Firefox as far back as July 2004, in Opera as far back as May 2004, and in Internet Explorer as far back as July 2004.
In BetaNews tests, additions and modifications to the JavaScript code that traps the IE7 browser user on the same page - for instance, trying to make it open another window - cause Firefox to stop execution of the code altogether, returning the browser to its normal behavior. In that instance, Mozilla's claimed fix appears to be effective.
There's nothing in the JavaScript code itself that makes IE7 and Firefox change its behavior in order to leave the address bar unchanged or leave the contents of the page blank. Also, it's very important to note here that JavaScript code running in IE7, even when triggered by the onunload() event, continues to run under the same restrictions as all other JavaScript code. So if JavaScript has no access to the file system normally, nothing triggered by this little trick will give it access automatically. Third-party firewalls continue to disable JavaScript code from manipulating cookies, by forcing the .cookie property to be changed to the .ignore property, as ZoneAlarm continued to do in BetaNews tests.
With more time, we may study the possibility that third-party popup blockers exacerbate the problem for Firefox, and may be responsible for the "blank page" occasions where Zalewski's trap does not appear 100% fixed.
Thus it would be inaccurate to state that this trick gives malicious users open access to remote users' data, as many blogs reported this afternoon, although the trick can be used to effectively mask JavaScript code from being run in an obviously detectable fashion by the user.
These articles need to be shorter.
Score: 0
|If you are using Firefox, the NoScript extension is your friend. Disable JavaScript by default, and only enable when necessary.
I'm not aware of a similar plugin for MSIE. If someone else is, please let us know.
(and before anyone answers "But you can disable script in MSIE," please read this short piece: http://www.pcworld.com/a.../id,128536/article.html).
Score: 0
|HAHAHAHAHAHAHAHAHAHAHAHAHAHA
I cant stop laughing at MS, its like the 3 stooges over there.
Score: 0
|Fixed and unfixed total
FF 2.0
23 Security Issues Total So Far
IE 7.0
10 Security Issues Total So Far
This includes Multiple Vulnerabilities fixed.
So you can stop laughing, because I am still laughing the FF is no where near as secure as IE is
Score: 0
|Read beyond the headline funny guy.
Score: 0
|Secunia has 2 of 6 advisories for Firefox2 unpatched, and 6 of 8 for IE7... I give most secure to the one with the least unpatched issues floating around.
Score: 0
|Faulty logic as it doesn't list how many security issues there were to begin with. As an example: Firefox fixed 23 out of 24 issues, IE 7.0 fixed 10 out of 24 issues. In this hypothetical, which is really the more secure browser?
Score: 0
|I would like to say Firefox, but the reality is Opera.
http://msmvps.com/blogs/.../2007/01/27/523024.aspx
Score: 0
|I'm confused. Since the headline for the Blog is:
"The heat is off Firefox - Opera has a far greater percentage of unpatched installations according to Secunia".
What is it you claiming? Or do you have a problem with reading comprehension?
Score: 0
|um, do I need to go here ?
yeah FF2 may have 23 fixes - over what a year ?
IE7 10 in what 6 months ?
let me think about the ratio.
Score: 0
|Wow, that report really is confusing if people don't read it carefully. Bad link.
Score: 0
|Yes, the report is confusing. My claim is that Opera is more secure, and no, I do not have a problem with reading comprehension.
Just to clarify, read the blog reply titled:
"At least some of the Opera installations are patched to 100% - as none is for FF and IE @ Sunday, January 28, 2007 11:22 PM"
and follow the links under where it says:
"Opera Software managed to fix all known security issues back to Opera 7 and even Opera 5 and 6 have only one less critical unpatched Secunia advisory each. I think that's a really good security record:"
Also, PCAuthority reviewed Opera 9 with the following remark: (http://www.pcauthority.c...review.aspx?CIaRID=3143) which even though was reviewed last year, still holds the same benchmark:
"Speed may be a welcome metric, but it isn’t one that should weigh too heavily win deciding which client you default to. Security, on the other hand, should be, and it’s here that Opera still beats the competition hands down. According to the Secunia Vulnerability Report, Opera rates 13 advisories with none extremely critical or remaining unpatched. Compare that to Firefox (30/3 percent/10 percent) and Internet Explorer (85/14 percent /25 percent) to see how clear cut the security argument is. Indeed, the basic Opera security model is so good all that’s changed is enabling TLS 1.1 and TLS Extensions by default, and upgrading the crypto library to OpenSSL 0.9.8."
There are heaps of references to back up Opera's security track record. Still a sceptic? There's always Google...
Score: 0
|Try since November of last year, same time IE7 was released
Score: 0
|This is a "plague"? Come on, you guys are really reaching...
Score: 0
|clearly just a minor pestilence
Score: 0
|Weasel words :D
Score: 0
|IE7 has crabs?
Score: 0
|