Comments on: Resident scripts and global cross-domain http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/ top secret/secure computing information Tue, 14 Oct 2008 11:02:54 +0000 http://wordpress.org/?v=2.2.3 By: dex http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6581 dex Sat, 17 May 2008 06:28:25 +0000 http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6581 Hi! there's a writeup of this kind of attack @ gnucitizen by sirdarckcat with code samples. link: http://www.gnucitizen.org/blog/ghost-busters/ Hi!

there’s a writeup of this kind of attack @ gnucitizen by sirdarckcat with code samples.

link: http://www.gnucitizen.org/blog/ghost-busters/

]]> By: morphene http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6446 morphene Sat, 10 May 2008 06:45:30 +0000 http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6446 Was not at blue hat and don't know anything for sure, sorry if I misrepresented that. However I did ask directly to one who should know if that described an unpatched non public for ie7 and the response was not that it was patched which i would have expected if it was - though it didn't confirm it to be unpatched either. I'm not trying to spread FUD at all, I'm more clueless than clued in. But I was under the impression that the explicit attack vector was not discussed. Honestly interested if anyone can confirm or deny that. I do understand that Manuel works there and I agree that if the initial attack was described they must have already patched it. But I also know that undisclosed internally known attacks do at times remain open. I asked about slides and was told there were none, but that audio of the talk should be available some how, but i didn't get a follow up about it. If that's true does anyone know how to get a recording of the talk? Was not at blue hat and don’t know anything for sure, sorry if I misrepresented that. However I did ask directly to one who should know if that described an unpatched non public for ie7 and the response was not that it was patched which i would have expected if it was - though it didn’t confirm it to be unpatched either.

I’m not trying to spread FUD at all, I’m more clueless than clued in. But I was under the impression that the explicit attack vector was not discussed. Honestly interested if anyone can confirm or deny that.

I do understand that Manuel works there and I agree that if the initial attack was described they must have already patched it. But I also know that undisclosed internally known attacks do at times remain open.

I asked about slides and was told there were none, but that audio of the talk should be available some how, but i didn’t get a follow up about it. If that’s true does anyone know how to get a recording of the talk?

]]> By: Marcin http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6418 Marcin Fri, 09 May 2008 02:29:00 +0000 http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6418 @ morphene, dre: It's my understanding the vulnerability was patched in IE7. Manuel works for Microsoft, and I doubt they would let Manuel release an 0day at BlueHat. They wouldn't even let Kuza present a Flash 0day. However, whether or not the issue is <em>entirely</em> fixed in IE7 is another story. @ morphene, dre: It’s my understanding the vulnerability was patched in IE7. Manuel works for Microsoft, and I doubt they would let Manuel release an 0day at BlueHat. They wouldn’t even let Kuza present a Flash 0day.

However, whether or not the issue is entirely fixed in IE7 is another story.

]]> By: dre http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6406 dre Thu, 08 May 2008 20:07:46 +0000 http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6406 @ morphene: Thanks! Are you saying the bug is IE7 only? I thought it would be cross-browser. Are you also saying that Manuel's bug has something to do with the IE7 sidebar, or is this a separate issue? @ Mark: No, but we'll update with a new post once we get more information. Smart people are already at work on trying to fix XSS, CSRF, and other SOP problems in browsers and Flash, etc. Unfortunately, the problem/fix doesn't always seem to be on their side of the equation. The problem is really a problem with the initial designs inherent in HTML, HTTP, Web Services, and the code that is produced to create applications that use these technologies. @ morphene: Thanks! Are you saying the bug is IE7 only? I thought it would be cross-browser. Are you also saying that Manuel’s bug has something to do with the IE7 sidebar, or is this a separate issue?

@ Mark: No, but we’ll update with a new post once we get more information.

Smart people are already at work on trying to fix XSS, CSRF, and other SOP problems in browsers and Flash, etc. Unfortunately, the problem/fix doesn’t always seem to be on their side of the equation. The problem is really a problem with the initial designs inherent in HTML, HTTP, Web Services, and the code that is produced to create applications that use these technologies.

]]> By: morphene http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6382 morphene Thu, 08 May 2008 02:52:54 +0000 http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6382 that about:blank iframe bug was in mozilla dev builds last year it seems, not this year. In contrast though Manuel sure does seem to have an unpatched ie7 attack. word on the streets of washington state is to make sure the sidebar isn't running either. that about:blank iframe bug was in mozilla dev builds last year it seems, not this year. In contrast though Manuel sure does seem to have an unpatched ie7 attack. word on the streets of washington state is to make sure the sidebar isn’t running either.

]]> By: Shoaib Yousuf http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6372 Shoaib Yousuf Wed, 07 May 2008 23:39:24 +0000 http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6372 I think that's the best idea. "Stop using the internet" I think that’s the best idea. “Stop using the internet”

]]> By: Mark http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6371 Mark Wed, 07 May 2008 23:06:17 +0000 http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6371 Do any additional details, caveats, remediations etc exist? This sounds pretty bad, smart people need to be getting on a fix asap. Do any additional details, caveats, remediations etc exist? This sounds pretty bad, smart people need to be getting on a fix asap.

]]> By: Marcin http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6352 Marcin Wed, 07 May 2008 06:22:59 +0000 http://www.tssci-security.com/archives/2008/05/07/resident-scripts-and-global-cross-domain/#comment-6352 I'm just going to tell my mom to stop using the Internet. I’m just going to tell my mom to stop using the Internet.

]]>