What's the issue, then? Well, it's pretty funny: predictably but not very intuitively, the attacker may initiate such cross-domain navigation not only to point the targeted window to a well-formed HTML document - but also to a resource served with the Content-Disposition: attachment header. In this scenario, the address bar of the targeted window will not be updated at all - but a rogue download prompt will appear on the screen, attached to the targeted document.
Here's an example of how this looks in Chrome; the fake flash11_updater.exe download supposedly served from adobe.com is, in reality, supplied by the attacker:
All the top three browsers are currently vulnerable to this attack; some provide weak cues about the origin of the download, but in all cases, the prompt is attached to the wrong window - and the indicators seem completely inadequate.
You can check out the demo here:
The problem also poses an interesting challenge to sites that frame gadgets, games, or advertisements from third-party sources; even HTML5 sandboxed frames permit the initiation of rogue downloads (oops!).Vendor responses, for the sake of posterity:
- Chrome: reported March 30 (bug 121259). Fix planned, but no specific date set.
- Internet Explorer: reported April 1 (case 12372gd). The vendor will not address the issue with a security patch for any current version of MSIE.
- Firefox: reported March 30 (bug 741050). No commitment to fix at this point.
For the record in Opera 11.64 the download dialog shows "From: attackers hostname" rather clearly, but the dialog is attached to victim's window.
ReplyDeleteFWIW, Opera does that at least as far back as v11.0.
ReplyDeleteFirefox does something similar, displaying, as the third line of information about the pending download (if you don't have it set to do stuff automatically) "from: http://199.58.85.40".
This is, I presume, what Michal referred to as "some provid[ing] weak cues about the origin of the download".
OK, so Michal, you and I noticed, but few, if any, "ordinary users" would notice, or care about, such (to them) trifling matters. I agree with Michal that this is probably easier to use and more insidious than his earlier example.
Good find!
Downloading on safari for mac gives me two copies of the flash update, automatically downloaded to my download folder. Opening either of them shows the usual "downloaded from the internet", and giving the download site as get.adobe.com
ReplyDeleteInteresting, sounds pretty bad :-)
ReplyDeleteTested this too on latest version of Safari and Lion. Downloads twice automatically when going to that webpage with no prompting! Very scary! Firefox on Mac behaves as per normal.
ReplyDeleteGreat findings! Im shocked that none of the providers have taken this seriously.
Safari comes up with twin copies of the update when downloading for Mac. Its always the usual download from internet message that pops up.
ReplyDeleteBenzoyl Peroxide
I remember looking at it when Michal published this post, kinda late comment
ReplyDelete@Max Short: you're right, that it's from Opera 11, because that's when they've switched from using OS dialogs (in this case MS's) to their own ones, but iirc in Opera 10.x there probably wouldn't even be that "weak cue".
Regarding that "weak cue", Michal is right, cause I don't think there would be any problem with providing it from typosquatting domain like aihdownload.adobe.co, aihdownload-adobe.com or anything like that
Dafuq. It still works on Firefox 19.0 and Chrome 25.0.1364.84 beta running on a Mac. Is it about time to scream louder?
ReplyDelete