If at first you don't succeed; call it version 1.0
Wednesday, 14 March 2007

Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users.

Affected versions
• Windows Vista - Internet Explorer 7.0
• Windows XP - Internet Explorer 7.0

Technical Details
The navcancl.htm local resource is used by the browser when for some reason a navigation to a specific page is canceled.
When a navigation is canceled the URL of the specific page is provided to the navcancl.htm local resource after the # sign. For example: res://ieframe.dll/navcancl.htm#http://www.site.com.  The navcancl.htm page then generates a script in the “Refresh the page.” link in order to reload the provided site again when the user clicks on this link.
It is possible to inject a script in the provided link which will be executed when the user clicks on the “Refresh the page.” link.
Luckily, Internet Explorer now runs most of its local resources (including navcancl.htm) in “Internet Zone”, so this vulnerability cannot be exploited to conduct a remote code execution.

Unfortunately, there is also a design flaw in IE7. The browser automatically removes the URL path of the local resource and leaves only the provided URL. For example: when the user visits res://ieframe.dll/navcancl.htm#http://www.site.com, IE7 will show http://www.site.com in the address bar.

To perform a phishing attack, an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site (e.g. bank, paypal, MySpace).
When the victim will open the link that was sent by the attacker, a “Navigation Canceled” page will be displayed. The victim will think that there was an error in the site or some kind of a network error and will try to refresh the page. Once he will click on the “Refresh the page.” link, The attacker’s provided content (e.g. fake login page) will be displayed and the victim will think that he’s within the trusted site, because the address bar shows the trusted site’s URL.


A CNN.com article spoofing proof-of-concept can be found here.
If you are not using IE7, you can watch a demonstration video here.

Workaround / Suggestion
Until Microsoft fixes this vulnerability, do not trust the “Navigation Canceled” page!


Wednesday, 14 March 2007 11:47:09 UTC | Comments [20] | Security#
Thursday, 15 March 2007 08:18:39 UTC
A phishing success with this trick is very improbable
Thursday, 15 March 2007 09:47:20 UTC
If people click on "Yes" buttons which install malware, why won't they click on on a refresh link of an error page (with a trusted site URL in the address bar) and believe it's their trusted site?
Thursday, 15 March 2007 13:14:57 UTC
How can be trusted a site with this long URL I see in my IE7 url bar???

And if I click on the URL bar I can also see this full URL:

Sorry, but this phishing attack is very improbable!

Thursday, 15 March 2007 13:38:03 UTC
Usually people do not pay attention for the URL that is not displayed within the visible address bar.
They will trust it if they see an accpetable domain name.
Thursday, 15 March 2007 16:34:27 UTC
Is it possible that you provide us the full source code?
I just want to try some things to verifiy this issue.


Thursday, 15 March 2007 16:35:30 UTC
Do you really think this URL is accpetable?
Thursday, 15 March 2007 17:21:35 UTC
The proof-of-concept source code is public. The only thing that is not public is redc.aspx which only redirects to the navcancl.htm local resource. Just use a sniffer (e.g. Fiddler) to grab the response's location header.

This was just an example. The phisher can use whatever URL prefix he want.
Thursday, 15 March 2007 18:23:06 UTC
1. The user when click on that page sees the page doesn't work, so he's allerted and I assume he takes attention to the URL and check if that is correct.
2. The phisher have to write a long URL in order to hide the javascript code, but a long URL is always suspect, I'll never put my password in a crazy long URL.
3. The IE7 Antiphishing filter still continue to work and so that phishing site will be blocked by antiphishing filter, although the page is spoofed.
So, there're a lot of things that make this attack success very improbable
Thursday, 15 March 2007 18:33:04 UTC
1. He we'll be alerted and will probably try to refresh the page as suggested by the browser.
2. A long URL is something trivial, and used by many trusted sites.
3. The Antiphishing tool will not work, as the page runs locally. Unless MS will flag the navcancl.htm local resource which is unlikely.
Thursday, 15 March 2007 20:01:39 UTC
You're wrong, the page runs in Internet zone and the phishing filter works!!!
Thursday, 15 March 2007 20:27:10 UTC
Indeed. Since IE6 SP2, all local resources are running under "Internet Zone". This is the reason, by the way, why this vulnerability cannot be exploited for remote code execution.
But, that doesn't mean MS will flag the navcancl.htm local resource, which in this case makes the Anti-Phishing tool useless.
Friday, 16 March 2007 08:48:57 UTC
Anti-phishing filter verifies any http web site loaded in a page and in your PoC this URL 'http://www.raffon.net/research/ms/ie/navcancl/phish.js is checked by Antiphishing filter
Sunday, 18 March 2007 08:40:27 UTC
My response for your last comment can be found here: http://aviv.raffon.net/2007/03/18/IE7AntiphishingToolAndExternalScripts.aspx
Wednesday, 04 April 2007 13:42:38 UTC

I'm very interesting to know if this problem has been solved with a fix or an update provided by Microsoft.

Friday, 13 April 2007 17:29:55 UTC
It's a fascinating attack. Does this also allow the spoofing of sites using the so-called Extended Validation certificate (the green address bar)?
Friday, 20 July 2007 09:16:21 UTC
I'm searching for answers and solution for a problem in my pc, since some days ago.
When i star my browser (IE7 or Maxthon) with a configurated group of 8 diferent pages, only two of them open normally, the other six pages return that screen with "Navigation to the website was canceled" and a single link to "Refresh the Page".
There is a strange separation between those two situations... the URLs of the two pages who can be seen is "https://..." and the blocked pages are all "http://..." pages!

Is this some kind of problem related with this?
And now, how can i fix this? I can not navigate any more!!!
Please, anyone who knows can help me?

(Sorry for my poor english)
Best regards,
Friday, 20 July 2007 10:38:38 UTC
You can find information about this issue on the IE team blog: http://blogs.msdn.com/ie/archive/2007/05/16/follow-up-to-internet-explorer-may-2007-security-update.aspx
Tuesday, 24 July 2007 05:52:50 UTC
Hi, i've recently had the a problem running a hyperlink from a site i know i can trust. My widows vista HP Pavilion Entertainment PC's, security sytem MIGHT BE canceling the page from showing up and its says the navigation to this webpage was canceled. My options then is refresh but when i do, it says the program cannot display the webpage. Please give me some advice how to fix this problem and be able to view this webpage!
Monday, 14 July 2008 09:24:26 UTC
compose mail can 't open in my outlook web acess if i open means red mark simple is appear i m using windows vista .........
Wednesday, 23 July 2008 19:45:46 UTC
I have the same problem. I do a lot of business thru Facebook and Myspace and now I can't use them. I know those are typical warning sites for phising but I have no idea how to get these sites back without a proxy.
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.