Phantom Menace

Tuesday, 13 May 2008

Manuel Caballero gave a presentation at the spring Microsoft BlueHat Security Briefings event on May 2nd entitled "A Resident in My Domain" and the abstract introduces the topic of a resident script that silently follows you while you surf, logs everything you type and even guesses your next move. Coupled with a global cross-domain weakness, this is apparently a nasty piece of work.

Giorgio Maone noted in his blog that news of the presentation is scarce and that Nate McFeters, who was at the briefings and saw the presentation, seems to have down-played the issue - he does, however, admit that "Resident scripts have put the fear of God into me" and continues "Whereas a normal cross-site scripting attack vector is[n't] great for the site that was cross-site scripted, it stopped there; it couldn't follow you off-domain. Manuel's can. Scary.". In response to Giorgio's request for more detail on the topic, Nate writes that "It's a horribly serious issue that affects all browsers and is currently not fixed on any of them I believe. So Manuel has been asked by the vendors to not release details at this time.".

Interestingly, Sirdarckcat throws some insight into the mix by working through some possibilities for the mechanisms involved based on the evidence available and some smart thinking and ends up with Proof of Concepts that are able to modify iframe locations in a different domain (and capture keystrokes - "guess your next move") in a window opened by open() and window.opener in IE6, 7 and 8.

I'm still trying to get my head around it, but it is definitely one to watch.

UPDATE: 2008-06-26T13:55 +0100 UTC

There's a short post on the McAfee Avert Labs Blog which mentions that they've seen an "article published in one of the Chinese Security E-zines, called pstzine, which talks about a new zero day Cross Domain Scripting flaw in IE6. This is still unpatched in IE6 as of now but IE7 and FireFox are not vulnerable to this."

pstzine can be found at and the article is in Issue 0x02, [Phile #0x04 of 0x0A] (Google Translation to English).

If you're an IE 6 user try out a proof of concept adapted from the article. And then upgrade to the safer IE7 or better still get firefox.

It's worth noting that this particular flaw, whilst dangerous to IE6 users if used maliciously, is not the one that Manuel presented. That one affected "all browsers" - according to Nate McFeters who was at the presentation. I've still not read anything more about it and wait with baited breath...