Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: IE7 - XSS against local resource - CVE-2007-1499 - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
IE7 - XSS against local resource - CVE-2007-1499
In the past few days a new vulnerability was discussed publicly: a Cross Site Scripting (XSS) vulnerability against a local resource in MSIE 7 on at least Windows XP and Vista.

The vulnerability is in a local page displaying a "Navigation to the webpage was canceled" message with a "Refresh the page" link. An attacker can send a browser following a crafted link to this local resource, making it display a faked address on the address bar and using scripting to make the refresh this page link into go to a page of his/her choice.
Do not mix the refresh this page link with the refresh button on the browser.

This might be useful in a phishing attack, but it does sound rather complex and requires the user to jump through the hoops.

CVE-2007-1499 (NIST's version), Mitre's version should get updated at their next update of the website.

I've also update the "missing Microsoft patches" table, so we'll track it.

Swa Frantzen -- NET2S

760 Posts
Mar 17th 2007

Sign Up for Free or Log In to start participating in the conversation!