I’ve been busy all day and just haven’t been able to get to it until now, but Aviv Raff is a seriously bad man. I follow his blog religiously as he always has some cool stuff going on and a lot of it tends to be thought provoking for other areas of attack. Well, imagine my lack of surprise when he dropped and 0-day for IE 7.0 and 8.0b on XP today. He calls the flaw: Internet Explorer “Print Table of Links” Cross-Zone Scripting Vulnerability.
I’ll leave it to Aviv to explain, full details on his blog, including proof of concept code that he has provided, but I’ll paraphrase things here:
Summary
Internet Explorer is prone to a Cross-Zone Scripting vulnerability in its “Print Table of Links” feature. This feature allows users to add to a printed web page an appendix which contains a table of all the links in that webpage.
An attacker can easily add a specially crafted link to a webpage (e.g. at his own website, comments in blogs, social networks, Wikipedia, etc.), so whenever a user will print this webpage with this feature enabled, the attacker will be able to run arbitrary code on the user’s machine (i.e. in order to take control over the machine).