TITLE:
Microsoft Internet Explorer Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA9711

VERIFY ADVISORY:
http://www.secunia.com/advisories/9711/

CRITICAL:
Highly critical

IMPACT:
Cross Site Scripting, Exposure of sensitive information, System
access

WHERE:
From remote

SOFTWARE:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6

DESCRIPTION:
Multiple vulnerabilities have been identified in Microsoft Internet
Explorer. Some could expose sensitive information others may lead to
execution of arbitrary code.

1) File-protocol proxy / WsOpenFileJPU
A malicious site may retrieve cookie information from other sites by
opening them in the "_search" window. This information may then be
retrieved using the file protocol. It is believed that this could
also be exploited to execute arbitrary code in the context of the
other domain including the local security zone.

2) NavigateAndFind protocol history / NAFjpuInHistory
It is possible to retrieve information and execute JavaScript in the
context of other sites using the "history.back" function. This may
also affect the local security zone.

3) window.open search injection / WsFakeSrc
It is possible to open different sites using "window.open" and access
information and execute JavaScript in this window at any given time.
This may also affect the local security zone.

4) NavigateAndFind file proxy / NAFfileJPU
A combination of the file protocol and the NavigateAndFind function
allows malicious sites to access information and execute code in a
different window and domain. This may also affect the local security
zone.

5) Timed history injection / BackMyParent2
It is possible to access information from a site loaded in a
different frame and domain using the "history.back" function.

6) history.back method caching / RefBack
This is a variant of 5) BackMyParent also allowing a site to access
information from a different frame and domain.

7) Click hijacking / HijackClick
This allows malicious sites to trick users into performing actions
like drag'n'drop a resource from one place to another without their
knowledge. An example has been provided allowing sites to add links
to "Favorites". However, resources need not be links and the
destination could be different than "Favorites".

Issues 1-7 have been reported by Liu Die Yu and affect Internet
Explorer with all patches. Several other issues have also been
published. These however, affect Internet Explorer without all
patches installed. Thus they are not concidered relevant as they to
some extent are related to previously fixed vulnerabilities.

SOLUTION:
There is no patch for these issues. The only efficient solution is to
disable Active Scripting.

Secunia recommends that you disable Active Scripting, ActiveX and
plug-ins for all sites. You may then allow execution of this for
certain trusted sites on a case by case basis.

REPORTED BY / CREDITS:
Discovered and published by Liu Die Yu
Additional information from Thor Larholm

ORIGINAL ADVISORY:
http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content.HTM
http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-Content.HTM
http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-Content.HTM
http://safecenter.net/liudieyu/NAFfileJPU/NAFfileJPU-Content.HTM
http://safecenter.net/liudieyu/BackMyParent2/BackMyParent2-Content.HTM
http://safecenter.net/liudieyu/RefBack/RefBack-Content.HTM
http://safecenter.net/liudieyu/HijackClick/HijackClick-Content.HTM

OTHER REFERENCES:
http://www.pivx.com/larholm/unpatched/

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web  : http://www.secunia.com/
E-mail  : support@secunia.com
Tel  : +45 7020 5144
Fax  : +45 7020 5145

----------------------------------------------------------------------