Author Topic: Hiding JavaScript on IE6  (Read 8866 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Hiding JavaScript on IE6
« on: June 10, 2005, 10:33:59 am »
http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php

This is pretty cool.  Works perfectly on my work computer.  There's a proof of concept about half way down.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Hiding JavaScript on IE6
« Reply #1 on: June 10, 2005, 01:06:09 pm »
Scary.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Hiding JavaScript on IE6
« Reply #2 on: June 10, 2005, 03:42:02 pm »
Yet another reason *not* to use MSIE?
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Hiding JavaScript on IE6
« Reply #3 on: June 10, 2005, 07:18:07 pm »
Update: Microsoft claims it's a feature, not a bug:

Quote
- Microsoft is aware of a public report of a vulnerability affecting
Internet Explorer.  The report indicates that Internet Explorer's
default behavior could allow a web page to not display script code when a user attempts to view the source of the page.  - Our investigation reveals that the behavior described in the public
report is not a vulnerability in the browser. Instead, this is a well
known capability of dynamic html (DHTML) and is a standard feature of
most browsers including Internet Explorer.
- Microsoft is concerned that some security researchers may not know the appropriate email alias to report security vulnerabilities to the
Microsoft Security Response Center.  Secure@microsoft.com is the public email alias for reporting security vulnerabilities to Microsoft.

- We continue to encourage all security researchers to work with
Microsoft on a confidential basis so that we can work together in
partnership to help protect Microsoft's customers and not put them at
unnecessary risk.

- We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps at www.microsoft.com/protect.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Hiding JavaScript on IE6
« Reply #4 on: June 10, 2005, 07:24:53 pm »
Uhh...that's kinda pathetic. :(

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Hiding JavaScript on IE6
« Reply #5 on: June 10, 2005, 07:31:42 pm »
On a "confidential basis"?

SO that they blatently ignore your bug report until it is exploited?

Fuck that.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Hiding JavaScript on IE6
« Reply #6 on: June 10, 2005, 07:53:43 pm »
These aren't bugs, their random features we didn't know about!
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Hiding JavaScript on IE6
« Reply #7 on: June 11, 2005, 04:58:52 pm »
On a "confidential basis"?

SO that they blatently ignore your bug report until it is exploited?

Fuck that.
Yeah, that's bullshit.

Offline drka

  • ffdshow > in_mp3.dll
  • Full Member
  • ***
  • Posts: 330
    • View Profile
Re: Hiding JavaScript on IE6
« Reply #8 on: July 03, 2005, 02:29:27 pm »
lol i dont get this. the site says at the end that its a security risk. how?

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Hiding JavaScript on IE6
« Reply #9 on: July 03, 2005, 02:33:40 pm »
Because you can exploit something using a different vulnerability (this is IE, don't forget), then make the exploit code disappear and never show up so people don't realize what happened. 

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: Hiding JavaScript on IE6
« Reply #10 on: July 04, 2005, 07:40:04 am »
Update: Microsoft claims it's a feature, not a bug:

Quote
- Microsoft is aware of a public report of a vulnerability affecting
Internet Explorer.  The report indicates that Internet Explorer's
default behavior could allow a web page to not display script code when a user attempts to view the source of the page.  - Our investigation reveals that the behavior described in the public
report is not a vulnerability in the browser. Instead, this is a well
known capability of dynamic html (DHTML) and is a standard feature of
most browsers including Internet Explorer.

- Microsoft is concerned that some security researchers may not know the appropriate email alias to report security vulnerabilities to the
Microsoft Security Response Center.  Secure@microsoft.com is the public email alias for reporting security vulnerabilities to Microsoft.

- We continue to encourage all security researchers to work with
Microsoft on a confidential basis so that we can work together in
partnership to help protect Microsoft's customers and not put them at
unnecessary risk.

- We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps at www.microsoft.com/protect.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Hiding JavaScript on IE6
« Reply #11 on: July 04, 2005, 09:13:08 am »
It's still a problem.

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: Hiding JavaScript on IE6
« Reply #12 on: July 04, 2005, 11:08:39 am »
Doesn't that mean it can be used in FF too?
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Hiding JavaScript on IE6
« Reply #13 on: July 04, 2005, 12:06:25 pm »
Its a microsoft standard of DHTML, not the REAL standard. :P
And like a fool I believed myself, and thought I was somebody else...

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Hiding JavaScript on IE6
« Reply #14 on: July 04, 2005, 12:46:40 pm »
No, it doesn't happen on FireFox.

And yeah, I think you're right, it's a MS problem :)

Offline Krazed

  • x86
  • Hero Member
  • *****
  • Posts: 1822
    • View Profile
Re: Hiding JavaScript on IE6
« Reply #15 on: July 04, 2005, 01:14:55 pm »
Microsoft has it's own standards, so that it can support it's own excuses. In the end, both suck.  :)
It is good to be good, but it is better to be lucky.

01Linux

  • Guest
Re: Hiding JavaScript on IE6
« Reply #16 on: July 04, 2005, 06:02:44 pm »
Quote
- Microsoft is concerned that some security researchers may not know the appropriate email alias to report security vulnerabilities to the
Microsoft Security Response Center.  Secure@microsoft.com is the public email alias for reporting security vulnerabilities to Microsoft.

Translation: STOP MAKING OUR SOFTWARE LOOK INFERIOR TO OTHERS AND CONSIDER THIS A SUBTLE WAY TO HAVE YOU REPORT IT TO OUR EMAIL ADDRESS!

Quote
- We continue to encourage all security researchers to work with
Microsoft on a confidential basis so that we can work together in
partnership to help protect Microsoft's customers and not put them at
unnecessary risk.

Translation: Calling all hackers!!1 Please exploit our software more and send us a detailed explanation and the perfect way to fix it k>?!

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Hiding JavaScript on IE6
« Reply #17 on: July 05, 2005, 08:39:46 pm »
Guys I really don't see this as an exploit.  It's more of an annoyance to web programmers, and one that I've been dealing with since IE4.

I've known about this for quite a long time.  If there was an exploit that would work, someone would have found it already.  But IE actually unloads the old page from memory -- it doesn't "hide" it as the guy who thinks he's someone suggested.  Functions in scope create a new document via document.write, and as soon as all the functions go out of scope, a temporary page is generated in-memory and that is loaded up as a new page (note that your Back button is enabled when you go to the proof-of-concept page).

But as soon as the functions go out of scope, the system stops processing data from the old page except anything in document.unload.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.