Vulnerabilities / Threats
6/28/2013
09:27 AM
50%
50%

IE, Chrome Browser Attack Exploits Windows PCs

Microsoft says the social-engineering vulnerability, which uses "pop-under" browser notifications and a fake Captcha, isn't a Windows bug.

Warning: Browser security notification mechanisms can be abused by attackers to hide downloads, dismiss notifications and disguise malicious code execution.

Details of those vulnerabilities were recently presented by independent security researcher Rosario Valotta in a presentation titled "Abusing Browser User Interfaces for Fun and Profit" at last week's Nuit du Hack conference at Disneyland Paris, as well as other recent conferences in Amsterdam and Moscow.

Using the detailed vulnerabilities to create a related exploit is "ridiculously simple," and can be initiated "without any notification or user confirmation," Valotta said in a blog post. "All you need is to type one key on Internet Explorer or make one click on Google Chrome" for the exploit to succeed.

The detailed vulnerabilities begin with modern browsers using modeless notifications to alert users to such events as file downloads, plug-in installations or authorizing HTML5 privileged APIs. "These notifications bars are non-invasive, they are designed ... to inform users without interrupting navigation, but they suffer from some serious design problems," Valotta said.

[ Want to know which security practices give the best bang for your buck? Read Security ROI: 5 Practices Analyzed. ]

Notably, such notifications appear only in the related window or tab that generated them. "So if you are able to 'hide' the navigation window, you can hide also the notification, this means you can [as an example] download a file on your computer and have no notification at all from your browser," he said. In addition, even though these windows might be hidden, the notification is active, meaning that the screen will accept a keyboard shortcut -- for example to save a file or run a file.

Here's Valotta's attack scenario: A user visits a malicious website, which opens a pop-under window and begins downloading a malicious file. Pop-under windows -- they appear behind the active window -- can be created using JavaScript, for example via the cross-browser tool js-popunder, which is available for free from GitHub.

Getting that malicious file to execute, however, requires a bit of trickery, which is also known as social engineering. With Internet Explorer, for example, a user would have to be tricked into typing a required key -- "r" on English-language systems, to make a downloaded file run, or "e" on Italian systems, and so on -- which would in fact be transmitting the keystroke to the hidden, but active, pop-under window.

How might this be accomplished? "Well, there are plenty of ways: a game, a typing lesson," said Valotta. "But my favorite one is a Captcha. Just take a fake Captcha starting with the proper letter ("r" or "e") and you'll get 100% of tricked users."

While a letter must be typed to complete the exploit via IE, for Chrome browsers the requirement -- after the file has been downloaded -- is different. "You need to trick the victim into clicking on some link/button on the foreground window," said Valotta. "The attacker, using some [JavaScript], is able to track mouse pointer coordinates so -- as soon the mouse is hovering on the button -- the attacker can close the foreground window." Obviously, attackers would need to get their timing right.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
6/29/2013 | 5:55:50 PM
re: IE, Chrome Browser Attack Exploits Windows PCs
This is clearly a browser bug. As soon as a notification gets shown the window needs to be active and in the front. But is easier to blame others than fix the own flaws.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report