RE: Internet Explorer and Opera local zone restriction bypass

["Thor Larholm" <thor@pivx.com>]

> From: Paul Szabo [mailto:psz@maths.usyd.edu.au] 
> Storing in an unpredictable location might help. 
> Obfuscation does not: instead of setting a cookie 
> of BadThing, the attacker could set one that will 
> become BadThing. The need to reverse-engineer the 
> obfuscation, and details like possible character 
> sets, are a minor hindrance only. 
> Security by obscurity does not work.

If you had followed the debate in detail, you would have seen that there
are several aspects to this problem. First you have to store defined
content in a known location, then you have to load a locally residing
file in a window object, then you have to use another vulnerability to
change security zone and then you have to convince IE to render the
stored content as HTML.

Flash can remove the first and latter, and there is absolutely no
reverse-engineering that will convince IE to render a BAE-64 encoded
string as HTML. Loading a locally residing file in a window object
brings nothing new into the world of IE exploits, and after that you
STILL have to rely on yet another cross-domain vulnerability before all
of this can be exploited.

There is no obscurity being promised here, just an additional layer of
security - encoding and decoding data when it is being stored to and
read from permanent storage by Flash. Obscurity by security would only
have been the case here if the data that Flash stores was sensitive or
private, but it is not - all we want is to avoid having Flash used as an
automated transport mechanism of data from the Internet Zone to any
local security zones.


Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Get our research, join our mailinglist - http://pivx.com/larholm/