Skip navigation

Spoofed Frames with IE

Spoofed Frames Can Lead to Intrusion
Reported December 23, 1998 by Juan Carlos Garcia Cuartango and Microsoft

VERSIONS AFFECTED

  • Microsoft Internet Explorer versions 3.X, 4.0, 4.01, 4.01 Service Pack 1 for Windows 95
  • Microsoft Internet Explorer versions 4.01 Service Pack 1 for Windows 98
  • Microsoft Internet Explorer versions 3.X, 4.0, 4.01, 4.01 Service Pack 1 for Windows NT 4.0
  • Microsoft Internet Explorer versions 3.X, 4.0, 4.01for Windows 3.1
  • Microsoft Internet Explorer versions 3.X, 4.0, 4.01 for Windows NT 3.51
  • Microsoft Internet Explorer versions 3.X, 4.X for Macintosh
  • Microsoft Internet Explorer version 4 for UNIX on HPUX
  • Microsoft Internet Explorer version 4 for UNIX on Sun Solaris

DESCRIPTION

A malicious Web page can be used to impersonate a window on a legitimate Web site. The spoofed window could collect information from the user and send it back to the malicious site. According to Microsoft Security Bulletin, "This vulnerability exists because Internet Explorer"s cross domain protection does not extend to navigation of frames. This makes it possible for a malicious web site to insert content into a frame within another web site"s window. If done properly, the user might not be able to tell that the frame contents were not from the legitimate site, and could be tricked into providing personal data to the malicious site. Non-secure (HTTP) and secure (HTTPS) sites are equally at risk from this vulnerability."

DESCRIPTION

Click here for a demonstration

SOLUTION

Be sure to read the Knowledge Base article associated with this concern. Appropriate hotfixes can be downloaded from   Microsoft"s IE Web site.

To learn more about NT Security concerns, subscribe to NTSD

Credits
- Originally reported by Juan Carlos Garcia Cuartango
- Posted on The NT Shop on December 23, 1998
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish