Event 1025 - Object Caching Protection

• Logged Message
• What Is It?
• When Is This Event Logged?
• Example
• Remediation
• Related topics

Logged Message

A reference to an object is no longer accessible when the user browses to a new domain in Windows Internet Explorer 8, Windows Internet Explorer 7, and Microsoft Internet Explorer 6 for Windows XP with Service Pack 2 (SP2). There is a security context on all scriptable objects so that access to all cached objects is blocked. Additionally, Windows Internet Explorer blocks access when browsing within the same domain (fully qualified domain name). A reference to an object is no longer accessible after the context has changed due to navigation.

What Is It?

In earlier versions of Windows, some webpages were able to access objects cached from another website. In Internet Explorer 8, a reference to an object is no longer accessible when the user browses to a new domain. There is a new security context for all scriptable objects so that access to all cached objects is blocked. Additionally, access is blocked when browsing within the same domain (fully qualified domain name). A reference to an object is no longer accessible after the context has changed due to navigation.

When Is This Event Logged?

This event is logged if script attempts to access a cached object.

Example

Perform the following steps to see this event logged in the compatibility tool:

1. Create a webpage with the following contents. For this example call it 1025.html.

   <html>
   <head>
   <title>Object Caching test</title>
   
   <script language="jscript">
   
   var vulObjs={
           showModalDialog:{
               Cache:function (openWin) { return openWin.showModalDialog },
               Exploit:function (openWin,vCache,sInject) { 
                   if (document.implementation) {
                       function oExploit(iSec) {
                           return {                            
                           };
                       }
                       oExploit.length=1;
                       var oSecurity={
                           document:{
                               all:{
                                   tags:function (sTag) {
                                       return sTag=="link" ? oExploit : [];
                                   }
                               }
                           }
                       }
                       vCache("res://shdoclc.dll/analyze.dlg",oSecurity,"");
                   } 
               },
               Options:fInject
           }
       };
   
   function fInject(oVulnItem,openWin) {
       oExploitOptions.innerHTML="<input type=\"button\" id=\"oExecute\" value=\"Execute\">";
   
       oExecute.onclick=function () {
           try {
               openWin.focus();
               oVulnItem.Exploit(openWin,oVulnItem.CachedObject,"alert(document.cookie)");
           }
           catch (oErr) {
               alert("Error occurred while injecting ("+oErr.description+").");
           }
       }    
   }
   
   function assignLoc(sURL,openWin) {
       try {
           openWin.location.href=/^(res|file|http|https):\/\//i.test(sURL) ? sURL : "http://"+sURL;
       }
       catch (oErr) {
           openWin.location.href="getLocal.asp?resName="+escape(sURL);
       }
   }
   
   onload=function () {
       var oOption,sMethod,openWin;
   
       openWin=open("blank.html","victim","width=400,height=300");
       focus();
       setTimeout(
           function () {
               for (sMethod in vulObjs) {
                   vulObjs[sMethod].CachedObject=vulObjs[sMethod].Cache(openWin);
               }
               oStatus.innerText=
                   "";
               oGUI.style.display="block";
               assignLoc("https://www.microsoft.com",openWin);
               oExploitOptions.style.display="block";
               vulObjs["showModalDialog"].Options(vulObjs["showModalDialog"],openWin);
           },
           3000
       );
   
   }
   </script>
   </head>
   <body>
   <div id="oStatus">Caching objects please wait...</div>
   <div id="oGUI">    
       <div id="oExploitOptions"></div>
   
   </div>
   </body>
   </html>
   

2. Install the file in the root directory of the local web server. On a Microsoft Internet Information Services (IIS) server this means putting the file in this directory:

   .\wwwroot

3. Browse to the file:

   http://127.0.0.1/1025.html

   A message appears in the information bar indicating that Pop-ups are blocked.

4. Right click the information bar and select "Always allow pop-ups from This Site" menu option.

   This allows the pop-up in the example to be displayed. You can turn off pop-ups later if you like.

   Notice that a second window appears that redirects to www.microsoft.com.

5. Click the Execute button on the 1025.html page.

   Internet Explorer displays a dialog that reads:

   Error occurred while injecting (Permission Denied)

What's happening is that the main page (1025.html) is opening up a second window that redirects to www.microsoft.com. The main page caches a reference to that second window. When you click the Execute button, you're invoking code on the main page that attempts to manipulate the second window through its cached reference. Since the security context of the two windows are different, Internet Explorer prevents the attempt, and displays an error. The Object Caching event is also logged to the compatibility tool.

Remediation

Moving your website to an intranet site is an alternative that makes object caching acceptable. Changing the webpage so it does not rely on object caching is another option. For more information on updating a webpage that experiences a problem with this security feature, see Knowledge Base Article 884697.

For more articles on object caching protection, including any updates made to this feature, see Object Caching Protection.

Related topics

Internet Explorer Application Compatibility

Events 1021 through 1028