Title: IE chromeless window vulnerabilities Affects: Internet Explorer 5.5 and later Risk: Medium Introduction ------------ A window without a frame, title bar, toolbars or scroll bars is known as a 'chromeless' window. If a chromeless window can be opened on top of other windows, it is possible to impersonate Windows user interface elements. Why is this a security problem? Because Windows and browser UI elements are themselves part of security mechanisms. If the UI for security features can be faked, users can be tricked into making inappropriate decisions. The 'traditional' way of doing chromeless windows was to use the DHTML method window.open to open a full-screen browser window (which is chromeless) and then resize this to smaller dimensions. This capability was removed in IE6 Service Pack 1, presumably due to exactly these security concerns. The problem ----------- It is still possible to get chromeless windows by using the window.createPopup method. A window opened with createPopup has some unusual properties: - It is closed when one clicks on the outside the popup. This is easy to circumvent by simply re-spawning it on close. - It cannot be focused. (It is impossible to put controls like text input fields in it; this, at least, prevents us from overlaying fake login forms onto other websites.) Focus stays with the opener window. - It floats above other normal windows, allowing it to obscure them even whilst they are focused. One popup may be created per window, allowing one to overlay an arbitrary rectangle of screen display area with fake UI. More complicated overlays can be achieved by having multiple windows opening popups at once; a popup is itself a window so can be used to open further popups. Exploitation ------------ There are three simple exploit demonstrations at: http://www.doxdesk.com/personal/posts/bugtraq/20030713-ie/ One fakes the address bar to seem to be another site; another tries to trick the user into adding a bookmark to the favorites menu by hiding the dialog box that has focus; another hides an ActiveX download prompt in order to fool the user into allowing arbitrary code to be run. These exploits are unpolished and could no doubt be made more convincing and robust, but this demonstrates the risk. Solution -------- window.createPopup() should have the same chromeless window restrictions as createModalDialog() and createModelessDialog(). Workaround ---------- Disable Active Scripting. Vendor response --------------- Microsoft were informed of the problem on 23rd January. After initially encouraging e-mails, no action has been taken since. I am posting this issue now as I have seen it being exploited in the wild. If you use IE, be extremely wary of trusting what appear to be its built-in security controls.