Security researcher and Google employee Michal Zalewski is warning of a potentially serious security hole that affects the three major Web browsers, Internet Explorer, Firefox and Google’s Chrome browser and that could make it easy for attackers to push malicious downloads from domains other than that being visited by unsuspecting Web users.
Attackers could take advantage of a widely supported feature that allows a document loaded in one instance of a Web browser to point other active browser windows to arbitrary URLs. The feature also allows a malicious Web page to push a download to a target window that is open to another domain using the widely supported Content-Disposition: attachment header feature.
In his blog post, Zalewski said that most popular browsers do a poor job of indicating to users that the download does not come from the domain they have browsed to – if they inform them at all. Misuse of that feature could support sophisticated Web based attacks in which rogue downloads are seemingly launched from legitimate sites. He included a proof of concept attack in which a button on one Web page seems to launch a download of an Adobe Flash Player update from the official Flash Player download site. In fact, the download is a fake pushed by Zalewski, not Adobe.
“The problem also poses an interesting challenge to sites that frame gadgets, games, or advertisements from third-party sources; even HTML5 sandboxed frames permit the initiation of rogue downloads (oops!),” he wrote.
Microsoft, Google and Mozilla Foundation, which makes the Firefox browser, have all acknowledged the hole. Google plans a fix for it, but hasn’t indicated when it might be available. Microsoft said that it will not address the issue with a security patch for current versions of IE, which suggests that it may address it as a feature in forthcoming IE releases> Finally, the Mozilla Foundation hasn’t made a commitment to fix the issue, Zalewski wrote.
Users commenting on the post also note that most versions of Apple’s Safari Web browser support the same insecure operations.
Zalewski is the Obi-Wan Kenobe of browser security, and author of The Tangled Web: A Guide to Securing Modern Web Applications. That means: when Zalewski throws down on a new security hole that he finds “amusing,” folks in Redmond, Mountain View and Cupertino go scrambling. Zalewski has uncovered a wide range of security flaws in common Web browsers in recent years, many of them exploitable. He has also authored a number of fuzzing and security research tools, including cross-fuzz and Pof. He was at the center of controversy after Microsoft accused him of irresponsible disclosure of a critical security hole in Internet Explorer in January, 2011.
Commenting on the vendors’ responses to the vulnerability, he said that they are “fine, given the sorry state of browser UI security in general.” However, the vulnerability -if left unaddressed – could pose problems. “In good conscience, I can’t dismiss the problem as completely insignificant,” he wrote.