Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Microsoft Windows Vista Sidebar RSS Feeds Gadget Cross Site Scripti

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Microsoft Windows Vista Sidebar RSS Feeds Gadget Cross Site Scripting Vulnerability
Date: 15 Aug 2007 09:49:54 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Windows Vista Sidebar RSS Feeds Gadget Cross Site Scripting 
Vulnerability
------------------------------------------------------------------------


SUMMARY

The  
<http://www.microsoft.com/windows/products/windowsvista/features/details/sidebargadgets.mspx>
 Vista sidebar is "a desktop extension that allows the user to keep a number of 
"gadgets", which are mini-applications, running in constant view on the 
desktop. Vista provides a number of default gadgets, such as a calendar, a 
weather tool, and an RSS feed reader".

RSS feeds allow a content provider, such as a website, to let others 
receive a stream of "headlines" describing content on the provider's site. 
The feeds are often updated frequently, and allow a user to receive 
information from a site without having to visit it. For example, a user 
may subscribe to a news feed that updates every hour with the headlines of 
top news stories. In order to subscribe to a feed, a user needs a feed 
reader. Modern browsers, such as Internet Explorer, provide a feed reader 
within the browser.

Remote exploitation of a Cross Site Scripting (XSS) vulnerability in the 
Windows Vista Sidebar RSS Gadget allows an attacker to execute arbitrary 
code with the privileges of the logged in user.

DETAILS

Vulnerable Systems:
 * Microsoft Windows Vista Business

A vulnerability exists within the parsing of the certain elements of the 
items in an RSS feed. A properly crafted HTML tag within these elements 
will not be removed, and will be rendered by the RSS gadget. Since the RSS 
gadget runs in the local zone, the injected JavaScript has full access to 
the system.

Analysis:
Exploitation of this vulnerability will result in the execution of 
arbitrary code with the privileges of the user running the RSS gadget. In 
order to exploit this, an attacker can inject JavaScript that will 
download and execute a malicious binary.

The RSS gadget runs by default, but does not display any feeds unless a 
user subscribes to them. As such, a user must be receiving data from a 
malicious feed in order to be attacked.

In the most common scenario, this requires some form of social engineering 
to convince a user to subscribe to a malicious feed. There is no way to 
add a feed by simply clicking a link. The user must click the 'Subscribe 
to this feed' button displayed when visiting a feed in Internet Explorer. 
After adding the feed, exploitation will occur once the gadget attempts to 
display the feed.

Another attack vector that requires significantly less social engineering 
requires an attacker control a trusted feed. If an attacker can find some 
way to inject data into a trusted feed then they will be able to exploit 
any subscribers to the feed.

Workaround:
iDefense is currently unaware of any workarounds for this issue.

Vendor reponse:
Microsoft has addressed this vulnerability within MS07-048. For more 
information, consult their bulletin at the following URL.
 <http://www.microsoft.com/technet/security/Bulletin/MS07-048.mspx> 
http://www.microsoft.com/technet/security/Bulletin/MS07-048.mspx

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3033> 
CVE-2007-3033

Disclosure Timeline:
03/21/2007 - Initial vendor notification
03/21/2007 - Initial vendor response
08/14/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:  
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=575> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=575



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Microsoft Windows Vista Sidebar RSS Feeds Gadget Cross Site Scripting Vulnerability, SecuriTeam <=
Previous by Date:  [NT] Microsoft XML Core Services XMLDOM Memory Corruption Vulnerability, SecuriTeam
Next by Date:  [NT] Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (MS07-042), SecuriTeam
Previous by Thread:  [NT] Microsoft XML Core Services XMLDOM Memory Corruption Vulnerability, SecuriTeam
Next by Thread:  [NT] Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (MS07-042), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]