http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php
This is pretty cool. Works perfectly on my work computer. There's a proof of concept about half way down.
Scary.
Yet another reason *not* to use MSIE?
Update: Microsoft claims it's a feature, not a bug:
Quote- Microsoft is aware of a public report of a vulnerability affecting
Internet Explorer. The report indicates that Internet Explorer's
default behavior could allow a web page to not display script code when a user attempts to view the source of the page. - Our investigation reveals that the behavior described in the public
report is not a vulnerability in the browser. Instead, this is a well
known capability of dynamic html (DHTML) and is a standard feature of
most browsers including Internet Explorer.
- Microsoft is concerned that some security researchers may not know the appropriate email alias to report security vulnerabilities to the
Microsoft Security Response Center. Secure@microsoft.com is the public email alias for reporting security vulnerabilities to Microsoft.
- We continue to encourage all security researchers to work with
Microsoft on a confidential basis so that we can work together in
partnership to help protect Microsoft's customers and not put them at
unnecessary risk.
- We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps at www.microsoft.com/protect.
Uhh...that's kinda pathetic. :(
On a "confidential basis"?
SO that they blatently ignore your bug report until it is exploited?
Fuck that.
These aren't bugs, their random features we didn't know about!
Quote from: Newby on June 10, 2005, 07:31:42 PM
On a "confidential basis"?
SO that they blatently ignore your bug report until it is exploited?
Fuck that.
Yeah, that's bullshit.
lol i dont get this. the site says at the end that its a security risk. how?
Because you can exploit something using a different vulnerability (this is IE, don't forget), then make the exploit code disappear and never show up so people don't realize what happened.
Quote from: iago on June 10, 2005, 07:18:07 PM
Update: Microsoft claims it's a feature, not a bug:
Quote- Microsoft is aware of a public report of a vulnerability affecting
Internet Explorer. The report indicates that Internet Explorer's
default behavior could allow a web page to not display script code when a user attempts to view the source of the page. - Our investigation reveals that the behavior described in the public
report is not a vulnerability in the browser. Instead, this is a well
known capability of dynamic html (DHTML) and is a standard feature of
most browsers including Internet Explorer.
- Microsoft is concerned that some security researchers may not know the appropriate email alias to report security vulnerabilities to the
Microsoft Security Response Center. Secure@microsoft.com is the public email alias for reporting security vulnerabilities to Microsoft.
- We continue to encourage all security researchers to work with
Microsoft on a confidential basis so that we can work together in
partnership to help protect Microsoft's customers and not put them at
unnecessary risk.
- We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps at www.microsoft.com/protect.
It's still a problem.
Doesn't that mean it can be used in FF too?
Its a microsoft standard of DHTML, not the REAL standard. :P
No, it doesn't happen on FireFox.
And yeah, I think you're right, it's a MS problem :)
Microsoft has it's own standards, so that it can support it's own excuses. In the end, both suck. :)
Quote
- Microsoft is concerned that some security researchers may not know the appropriate email alias to report security vulnerabilities to the
Microsoft Security Response Center. Secure@microsoft.com is the public email alias for reporting security vulnerabilities to Microsoft.
Translation: STOP MAKING OUR SOFTWARE LOOK INFERIOR TO OTHERS AND CONSIDER THIS A SUBTLE WAY TO HAVE YOU REPORT IT TO OUR EMAIL ADDRESS!
Quote- We continue to encourage all security researchers to work with
Microsoft on a confidential basis so that we can work together in
partnership to help protect Microsoft's customers and not put them at
unnecessary risk.
Translation: Calling all hackers!!1 Please exploit our software more and send us a detailed explanation and the perfect way to fix it k>?!
Guys I really don't see this as an exploit. It's more of an annoyance to web programmers, and one that I've been dealing with since IE4.
I've known about this for quite a long time. If there was an exploit that would work, someone would have found it already. But IE actually unloads the old page from memory -- it doesn't "hide" it as the guy who thinks he's someone suggested. Functions in scope create a new document via document.write, and as soon as all the functions go out of scope, a temporary page is generated in-memory and that is loaded up as a new page (note that your Back button is enabled when you go to the proof-of-concept page).
But as soon as the functions go out of scope, the system stops processing data from the old page except anything in document.unload.