Vulnerabilities / Threats

6/28/2013
09:27 AM
50%
50%

IE, Chrome Browser Attack Exploits Windows PCs

Microsoft says the social-engineering vulnerability, which uses "pop-under" browser notifications and a fake Captcha, isn't a Windows bug.

Warning: Browser security notification mechanisms can be abused by attackers to hide downloads, dismiss notifications and disguise malicious code execution.

Details of those vulnerabilities were recently presented by independent security researcher Rosario Valotta in a presentation titled "Abusing Browser User Interfaces for Fun and Profit" at last week's Nuit du Hack conference at Disneyland Paris, as well as other recent conferences in Amsterdam and Moscow.

Using the detailed vulnerabilities to create a related exploit is "ridiculously simple," and can be initiated "without any notification or user confirmation," Valotta said in a blog post. "All you need is to type one key on Internet Explorer or make one click on Google Chrome" for the exploit to succeed.

The detailed vulnerabilities begin with modern browsers using modeless notifications to alert users to such events as file downloads, plug-in installations or authorizing HTML5 privileged APIs. "These notifications bars are non-invasive, they are designed ... to inform users without interrupting navigation, but they suffer from some serious design problems," Valotta said.

[ Want to know which security practices give the best bang for your buck? Read Security ROI: 5 Practices Analyzed. ]

Notably, such notifications appear only in the related window or tab that generated them. "So if you are able to 'hide' the navigation window, you can hide also the notification, this means you can [as an example] download a file on your computer and have no notification at all from your browser," he said. In addition, even though these windows might be hidden, the notification is active, meaning that the screen will accept a keyboard shortcut -- for example to save a file or run a file.

Here's Valotta's attack scenario: A user visits a malicious website, which opens a pop-under window and begins downloading a malicious file. Pop-under windows -- they appear behind the active window -- can be created using JavaScript, for example via the cross-browser tool js-popunder, which is available for free from GitHub.

Getting that malicious file to execute, however, requires a bit of trickery, which is also known as social engineering. With Internet Explorer, for example, a user would have to be tricked into typing a required key -- "r" on English-language systems, to make a downloaded file run, or "e" on Italian systems, and so on -- which would in fact be transmitting the keystroke to the hidden, but active, pop-under window.

How might this be accomplished? "Well, there are plenty of ways: a game, a typing lesson," said Valotta. "But my favorite one is a Captcha. Just take a fake Captcha starting with the proper letter ("r" or "e") and you'll get 100% of tricked users."

While a letter must be typed to complete the exploit via IE, for Chrome browsers the requirement -- after the file has been downloaded -- is different. "You need to trick the victim into clicking on some link/button on the foreground window," said Valotta. "The attacker, using some [JavaScript], is able to track mouse pointer coordinates so -- as soon the mouse is hovering on the button -- the attacker can close the foreground window." Obviously, attackers would need to get their timing right.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
6/29/2013 | 5:55:50 PM
re: IE, Chrome Browser Attack Exploits Windows PCs
This is clearly a browser bug. As soon as a notification gets shown the window needs to be active and in the front. But is easier to blame others than fix the own flaws.
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8142
PUBLISHED: 2018-05-21
A security feature bypass exists when Windows incorrectly validates kernel driver signatures, aka "Windows Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1035.
CVE-2018-11311
PUBLISHED: 2018-05-20
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
CVE-2018-11319
PUBLISHED: 2018-05-20
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to ...
CVE-2018-11242
PUBLISHED: 2018-05-20
An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
CVE-2018-11315
PUBLISHED: 2018-05-20
The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a ho...