Thursday, May 22, 2008

Cross Domain Thriller

| Armando Romeo |

Manuel Caballero's speech at Microsoft's BlueHat conference has gifted a nice thrilling story to talk about. Giorgio Maone and sirdarkcat are trying to descramble the enigma about this resident script vector able to allow cross-domain scripting through Iframes. Stealing cookies though has not been confirmed as far as I know.

Manuel's speech title was "A Resident in My Domain", that is how a script can be resident in all the pages browsed by a user with FF and IE (6,7). No matter what, all the domains can be ghost-infected since the ectoplasm is in the browser (that references new windows and control them) and not in the application code. Nice enough to create a lot of noise in the field.

Manuel is a penetration tester for Microsoft. He obviously didn't disclose the attacking vector but demonstrated it causing "shocking feelings" in the room as someone witnessed. I wasn't there. I'm sure noone died for heart attack though.

Now, lemme ask a question. Why hasn't Microsoft patched the browser before all this came out on the scene? The attack seems to be still working and noone is going to say more than what Microsoft wants to be known about the subject.

Quoting from Manuel's abstract:

"Imagine an invisible script that silently follows you while you surf, even after changing the URL 1000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including where (location) you are surfing, what you are typing (passwords included) and even guess your next move. No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross domain. Also, we go through a step by step approach on how to find cross domains and a resident scripts. "

Nice, let's patch it!

Free Security Magazines