Vulnerabilities / Threats
6/28/2013
09:27 AM
50%
50%

IE, Chrome Browser Attack Exploits Windows PCs

Microsoft says the social-engineering vulnerability, which uses "pop-under" browser notifications and a fake Captcha, isn't a Windows bug.

Warning: Browser security notification mechanisms can be abused by attackers to hide downloads, dismiss notifications and disguise malicious code execution.

Details of those vulnerabilities were recently presented by independent security researcher Rosario Valotta in a presentation titled "Abusing Browser User Interfaces for Fun and Profit" at last week's Nuit du Hack conference at Disneyland Paris, as well as other recent conferences in Amsterdam and Moscow.

Using the detailed vulnerabilities to create a related exploit is "ridiculously simple," and can be initiated "without any notification or user confirmation," Valotta said in a blog post. "All you need is to type one key on Internet Explorer or make one click on Google Chrome" for the exploit to succeed.

The detailed vulnerabilities begin with modern browsers using modeless notifications to alert users to such events as file downloads, plug-in installations or authorizing HTML5 privileged APIs. "These notifications bars are non-invasive, they are designed ... to inform users without interrupting navigation, but they suffer from some serious design problems," Valotta said.

[ Want to know which security practices give the best bang for your buck? Read Security ROI: 5 Practices Analyzed. ]

Notably, such notifications appear only in the related window or tab that generated them. "So if you are able to 'hide' the navigation window, you can hide also the notification, this means you can [as an example] download a file on your computer and have no notification at all from your browser," he said. In addition, even though these windows might be hidden, the notification is active, meaning that the screen will accept a keyboard shortcut -- for example to save a file or run a file.

Here's Valotta's attack scenario: A user visits a malicious website, which opens a pop-under window and begins downloading a malicious file. Pop-under windows -- they appear behind the active window -- can be created using JavaScript, for example via the cross-browser tool js-popunder, which is available for free from GitHub.

Getting that malicious file to execute, however, requires a bit of trickery, which is also known as social engineering. With Internet Explorer, for example, a user would have to be tricked into typing a required key -- "r" on English-language systems, to make a downloaded file run, or "e" on Italian systems, and so on -- which would in fact be transmitting the keystroke to the hidden, but active, pop-under window.

How might this be accomplished? "Well, there are plenty of ways: a game, a typing lesson," said Valotta. "But my favorite one is a Captcha. Just take a fake Captcha starting with the proper letter ("r" or "e") and you'll get 100% of tricked users."

While a letter must be typed to complete the exploit via IE, for Chrome browsers the requirement -- after the file has been downloaded -- is different. "You need to trick the victim into clicking on some link/button on the foreground window," said Valotta. "The attacker, using some [JavaScript], is able to track mouse pointer coordinates so -- as soon the mouse is hovering on the button -- the attacker can close the foreground window." Obviously, attackers would need to get their timing right.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
6/29/2013 | 5:55:50 PM
re: IE, Chrome Browser Attack Exploits Windows PCs
This is clearly a browser bug. As soon as a notification gets shown the window needs to be active and in the front. But is easier to blame others than fix the own flaws.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8917
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media A...

CVE-2014-8920
Published: 2015-01-28
Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 5R4, 6.1, and 7.1 on Windows allows local users to gain privileges via unspecified vectors.

CVE-2015-0235
Published: 2015-01-28
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

CVE-2015-0312
Published: 2015-01-28
Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute arbitrary code via unspecified vectors.

CVE-2015-0581
Published: 2015-01-28
The XML parser in Cisco Prime Service Catalog before 10.1 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, as demonstrated by reading private keys, related t...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If youíre a security professional, youíve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.