Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-221: Multiple Browser HTTP Resource in HTTPS Context Security Bypass Vulnerability

[CVE-2009-2064 Thru CVE-2009-2067]

August 31, 2009 15:00 GMT
PROBLEM: Multiple browsers are prone to a security-bypass vulnerability because they fail to display warnings when pages operating in a secure context try to request resources through insecure methods.
PLATFORM: Microsoft Internet Explorer 8 and all previous versions, Mozilla Firefox 3.0.9 and all previous versions, Apple Safari 3.2.1 and all previous versions, Opera Browser 9.22 and all previous versions.
ABSTRACT: Attackers may exploit this vulnerability to aid in phishing attacks or to obtain sensitive information. Other attacks are also possible. Note that to take advantage of this issue, an attacker must be able to intercept or control network traffic. This would normally be possible through a man-in-the-middle attack, DNS poisoning, or similar vectors.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-221.shtml
  OTHER LINKS: Security Focus Website
http://www.securityfocus.com/bid/35403/info
Apple Website
http://www.apple.com/safari/download/
Microsoft Website
http://www.microsoft.com/windows/ie/default.mspx
Mozilla Website
http://www.mozilla.com/en-US/
Opera Website
http://www.opera.com/

  CVE: CVE-2009-2064
CVE-2009-2065
CVE-2009-2066
CVE-2009-2067
IMPACT ASSESSMENT: This risk is medium. An attacker may use common networking tools to exploit this issue. Note that the attacker must entice a user into viewing a webpage that meets the conditions that allow an attack. 
[***** Start CVE-2009-2064 Thru CVE-2009-2067 *****]
Discussion:
Microsoft Internet Explorer 8, Mozilla Firefox 3.0.10, Apple Safari, Opera, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site, related to "HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages."

Attackers may exploit this vulnerability to aid in phishing attacks or to obtain sensitive information. Other attacks are also possible. Note that to take advantage of this issue, an attacker must be able to intercept or control network traffic. This would normally be possible through a man-in-the-middle attack, DNS poisoning, or similar vectors.

Solution:
Vendors are currently working on providing a solution.

[***** End CVE-2009-2064 Thru CVE-2009-2067 *****]
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788