Microsoft Internet Explorer does not properly handle document.open()

Overview

Microsoft Internet Explorer contains a vulnerability in which a script from one source is permitted to access files on the client’s file system. An attacker may be able to read cookies and other files on a target system, and spoof Internet sites by creating believable window titles.

Description

Microsoft Internet Explorer features the ability to process scripting code contained in HTML documents. This feature is known as Active scripting, and one of the supported languages is called JScript. JScript is similar to Netscape’s JavaScript, and both languages played some part in the development of ECMAScript, which is defined in ECMA-262.

In JScript, the open method is used to access a document or to open a browser window, and the close method is typically used to close the document or window. The open method takes an argument that specifies either the MIME type (text/html only) of the document or a URL to render in a new browser window.

For security reasons, a script loaded from one site should not be able to access resources on another site, including the local client. In JavaScript, the Same Origin Policy protects clients by ensuring that “when loading a document from one origin, a script loaded from a different origin cannot get or set specific properties of specific browser and HTML objects in a window or frame.”

A message posted to the bugtraq mailing list reports that when processing a script containing document.open() without a corresponding document.close(), Internet Explorer allows the script to access local files and other sites without warning, even if the script and the target objects are in different security zones. A script from a potentially malicious site executing in a browser window in the Internet zone is able to access local files via the Document Object Model (DOM) interface. This vulnerability allows an attacker to read cookies and other files of MIME type text/html on the client’s file system and also allows an attacker to spoof Internet sites by displaying believable window titles. An attacker who is able to obtain cookies may be able to impersonate a legitimate user and obtain sensitive data such as passwords or credit card information. An attacker could send specially crafted HTML email messages to victims or otherwise convince them to visit a malicious website. Note that in order for this vulnerability to be exploited, Active scripting must be enabled in the security zone in which the email message or web page is rendered.

It has been reported that this vulnerability can also be exploited using document.close().

---

Impact

By convincing a user to view a malicious web page or HTML email message, a remote attacker can read cookies and certain types of files on the target host and spoof Internet sites.

---

Solution

Apply Patch
Apply Q316059 or a more recent cumulative patch for Internet Explorer. See Microsoft Security Bulletin MS02-005 for more information.

---

Disable Active scripting

To prevent the effects of this vulnerability, disable Active scripting. Instructions for disabling Active scripting can be found in the CERT/CC Malicious Web Scripts FAQ. At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, or any other email client that uses Internet Explorer to render HTML.

---

Vendor Information

598147

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: December 20, 2001 Updated: February 18, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<http://www.microsoft.com/technet/security/bulletin/MS02-005.asp&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23598147 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.osioniusx.com>
• <http://home.austin.rr.com/wiredgoddess/thepull/advisory3.html&gt;
• <http://www.securityfocus.com/bid/3721&gt;
• <http://support.microsoft.com/?kbid=317729&gt;
• <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp&gt;

Acknowledgements

This vulnerability was discovered by “the Pull” .

This document was written by Ian A. Finlay and Art Manion.

Other Information

CVE IDs:	CVE-2002-0027
Severity Metric:	28.08 Date Public: