PDA

View Full Version : Not a flaw...II



mjc
09-13-2002, 03:22 PM
We discovered that it is possible for an attacker to execute script on any page that contains <frame> or <iframe> elements, ignoring any protocol or domain restriction set forth by Internet Explorer. This means that an attacker can steal cookies from almost any site, access and change content in sites and in most cases also read local files and execute arbitrary programs on the client's machine (script in the "My Computer" zone).
GreyMagic Security

http://sec.greymagic.com/adv/gm010-ie/

Pretty easy fix for this one....disable "Navigate sub-frames across different domains" in Internet Options. And/or disable (or prompt) Active Scripting....

Paul Komski
09-13-2002, 06:20 PM
I have just about every security function in IE set to disable or prompt. IMHO its the only way to "surf" with any degree of freedom with IE.

For sites that one does trust (and that need these features); just add them to the trusted sites zone.

sleddog
09-13-2002, 09:07 PM
...or use a more secure browser :)