Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privilege escalation within the client (web browser) executing the script. The vulnerability could be:
- a web browser bug which under some conditions allows content (scripts) in one zone to be executed with the permissions of a higher privileged zone.
- a web browser configuration error; unsafe sites listed in privileged zones.
- a cross-site scripting vulnerability within a privileged zone
A common attack scenario involves two steps. The first step is to use a cross-zone scripting vulnerability to get scripts executed within a privileged zone. To complete the attack, then perform malicious actions on the computer using insecure ActiveX components.
This type of vulnerability has been exploited to silently install various malware (such as spyware, remote control software, worms and such) onto computers browsing a malicious web page.
Read more about Cross-zone Scripting: Origins of The Zone Concept