Microsoft Internet Explorer contains a flaw that may allow a malicious user to bypass certain frame restrictions (aka Cross Frame Scripting aka XFS). The issue is triggered when access validation errors occur within event handling routines. Malicious JavaScript loaded in a parent frame can then record the keyboard events of child frames.

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workarounds:

You must implement two workarounds in order to fully protect your sensitive
forms from any XFS attack scenario.

Workaround Part 1:
The following piece of JavaScript should be loaded on the top of all sensitive forms (login, forgot password, registration etc.). This JavaScript will prevent
parent frames from loading your sensitive forms into a child frame.

if (top != self) { top.location=self.location; }

Workaround Part 2:
Internet Explorer 6.x has a little known feature that allows parents frames to call child frames and put them into the restricted zone by specifying security="restricted" in the frame src code. By loading the frame into the restricted zone this disables cookies and active scripting for that child frame.

Example:
<frame src="http://www.osvdb.org" scrolling="auto" security="restricted">

Due to this feature the workaround implemented in part 1 is disabled and thus the JavaScript code is not effective in breaking out of the child frame. The parent frame however still has the ability to use scripting code thus malicious JavaScript can record the keyboard events of the child frame.

Applications can protect against this by implementing one of two things. All sensitive forms should do a cookie check to ensure that cookies are enabled in the client browser before displaying the sensitive forms to the user. If the form is loaded into a child frame and placed into the restricted zone the cookie check will fail because cookies are disabled in the restricted zone. Redirect the user if cookies are disabled to an error message saying cookies are a requirement of the use of your application.

OR

Another alternative is to write your sensitive form fields using JavaScript. If the child frame is infact loaded in a restricted zone, the sensitive form would not build because active scripting is disabled in this zone. This requires a lot more code for each sensitive form you are trying to protect.

Note: Microsoft has stated that Internet Explorer 7 will not be available to users who are on the Windows 2000 and below platforms. This means users on these platforms will be using Internet Explorer 6 and be vulnerable to these types of attacks.

• Secunia Advisory ID: 10996
• ISS X-Force ID: 15337
• CVE ID: 2004-2383 (see also: NVD)
• SCIP VulDB ID: 539
• Bugtraq ID: 9761
• Keyword: Cross Frame Scripting Internet Explorer
• Other Advisory URL: http://osvdb.org/ref/48/48-v-webmail.txt
  http://www.idefense.com/application/poi/display?id=77&type=vulnerabilities

Unknown or Incomplete