Vulnerabilities / Threats
6/28/2013
09:27 AM
50%
50%

IE, Chrome Browser Attack Exploits Windows PCs

Microsoft says the social-engineering vulnerability, which uses "pop-under" browser notifications and a fake Captcha, isn't a Windows bug.

Warning: Browser security notification mechanisms can be abused by attackers to hide downloads, dismiss notifications and disguise malicious code execution.

Details of those vulnerabilities were recently presented by independent security researcher Rosario Valotta in a presentation titled "Abusing Browser User Interfaces for Fun and Profit" at last week's Nuit du Hack conference at Disneyland Paris, as well as other recent conferences in Amsterdam and Moscow.

Using the detailed vulnerabilities to create a related exploit is "ridiculously simple," and can be initiated "without any notification or user confirmation," Valotta said in a blog post. "All you need is to type one key on Internet Explorer or make one click on Google Chrome" for the exploit to succeed.

The detailed vulnerabilities begin with modern browsers using modeless notifications to alert users to such events as file downloads, plug-in installations or authorizing HTML5 privileged APIs. "These notifications bars are non-invasive, they are designed ... to inform users without interrupting navigation, but they suffer from some serious design problems," Valotta said.

[ Want to know which security practices give the best bang for your buck? Read Security ROI: 5 Practices Analyzed. ]

Notably, such notifications appear only in the related window or tab that generated them. "So if you are able to 'hide' the navigation window, you can hide also the notification, this means you can [as an example] download a file on your computer and have no notification at all from your browser," he said. In addition, even though these windows might be hidden, the notification is active, meaning that the screen will accept a keyboard shortcut -- for example to save a file or run a file.

Here's Valotta's attack scenario: A user visits a malicious website, which opens a pop-under window and begins downloading a malicious file. Pop-under windows -- they appear behind the active window -- can be created using JavaScript, for example via the cross-browser tool js-popunder, which is available for free from GitHub.

Getting that malicious file to execute, however, requires a bit of trickery, which is also known as social engineering. With Internet Explorer, for example, a user would have to be tricked into typing a required key -- "r" on English-language systems, to make a downloaded file run, or "e" on Italian systems, and so on -- which would in fact be transmitting the keystroke to the hidden, but active, pop-under window.

How might this be accomplished? "Well, there are plenty of ways: a game, a typing lesson," said Valotta. "But my favorite one is a Captcha. Just take a fake Captcha starting with the proper letter ("r" or "e") and you'll get 100% of tricked users."

While a letter must be typed to complete the exploit via IE, for Chrome browsers the requirement -- after the file has been downloaded -- is different. "You need to trick the victim into clicking on some link/button on the foreground window," said Valotta. "The attacker, using some [JavaScript], is able to track mouse pointer coordinates so -- as soon the mouse is hovering on the button -- the attacker can close the foreground window." Obviously, attackers would need to get their timing right.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
6/29/2013 | 5:55:50 PM
re: IE, Chrome Browser Attack Exploits Windows PCs
This is clearly a browser bug. As soon as a notification gets shown the window needs to be active and in the front. But is easier to blame others than fix the own flaws.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1637
Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-0598
Published: 2015-03-05
The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.

CVE-2015-0607
Published: 2015-03-05
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.