Yet another cross-site scripting vulnerability affects IE7 on XP
A private security researcher well known for turning up cross-site scripting vulnerabilities in Web browsers has discovered another one, and is trumpeting the find as another milestone in Web history.
Truth is, it sounds like a trumpet we've all heard too many times before. On Wednesday, researcher Aviv Raff posted on his Web site the discovery of a vulnerability so open and easy to exploit, that merely mentioning what it is could be enough of an instruction manual for malicious exploiters to try it for themselves.
Mainly, it involves Internet Explorer 7 running on all versions of Windows XP; however, BetaNews was able to trigger the vulnerability using proof-of-concept code on the latest public beta of IE8 running in Windows Vista (not SP1), though with Protected Mode turned off intentionally.
Simply put, when printing a Web page onto paper, IE gives the user an option to print a separate page showing a table of hyperlinks inside the page. Typically, processes related to the printer are run with a security level set to "Local Machine Zone," whose security is usually more lax. So as Raff discovered, jobs sent to the printer from IE run with the more lax security. Thus embedded script within the hyperlinks is capable of being run unchecked, even though it's IE itself that's re-embedding those hyperlinks into the user-generated table.
The proof-of-concept Raff provides embeds code that runs the Calculator, though conceivably any script code could have run in that space unchecked. In BetaNews tests, the exploit was successfully triggered using IE7 in Windows XP SP2 and Windows XP SP3.
On his Web post from Wednesday, Raff states he contacted Microsoft the day before, but "their last response was that they are looking at an appropriate fix." Microsoft has yet to issue any official response to the matter.