Hiding JavaScript on IE6

[iago]

http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php

This is pretty cool.  Works perfectly on my work computer.  There's a proof of concept about half way down.

[Newby]

Scary.

[Quik]

Yet another reason *not* to use MSIE?

[iago]

Update: Microsoft claims it's a feature, not a bug:

- Microsoft is aware of a public report of a vulnerability affecting
Internet Explorer.  The report indicates that Internet Explorer's
default behavior could allow a web page to not display script code when a user attempts to view the source of the page.  - Our investigation reveals that the behavior described in the public
report is not a vulnerability in the browser. Instead, this is a well
known capability of dynamic html (DHTML) and is a standard feature of
most browsers including Internet Explorer.
- Microsoft is concerned that some security researchers may not know the appropriate email alias to report security vulnerabilities to the
Microsoft Security Response Center.  Secure@microsoft.com is the public email alias for reporting security vulnerabilities to Microsoft.

- We continue to encourage all security researchers to work with
Microsoft on a confidential basis so that we can work together in
partnership to help protect Microsoft's customers and not put them at
unnecessary risk.

- We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps at www.microsoft.com/protect.

[Sidoh]

Uhh...that's kinda pathetic.

[Newby]

On a "confidential basis"?

SO that they blatently ignore your bug report until it is exploited?

Fuck that.

[Quik]

These aren't bugs, their random features we didn't know about!

[Sidoh]

On a "confidential basis"?

SO that they blatently ignore your bug report until it is exploited?

Fuck that.

Yeah, that's bullshit.

[drka]

lol i dont get this. the site says at the end that its a security risk. how?

[iago]

Because you can exploit something using a different vulnerability (this is IE, don't forget), then make the exploit code disappear and never show up so people don't realize what happened. 

[Warrior]

Update: Microsoft claims it's a feature, not a bug:

- Microsoft is aware of a public report of a vulnerability affecting
Internet Explorer.  The report indicates that Internet Explorer's
default behavior could allow a web page to not display script code when a user attempts to view the source of the page.  - Our investigation reveals that the behavior described in the public
report is not a vulnerability in the browser. Instead, this is a well
known capability of dynamic html (DHTML) and is a standard feature of
most browsers including Internet Explorer.
- Microsoft is concerned that some security researchers may not know the appropriate email alias to report security vulnerabilities to the
Microsoft Security Response Center.  Secure@microsoft.com is the public email alias for reporting security vulnerabilities to Microsoft.

- We continue to encourage all security researchers to work with
Microsoft on a confidential basis so that we can work together in
partnership to help protect Microsoft's customers and not put them at
unnecessary risk.

- We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps at www.microsoft.com/protect.

[iago]

It's still a problem.

[Warrior]

Doesn't that mean it can be used in FF too?

[Blaze]

Its a microsoft standard of DHTML, not the REAL standard.

[iago]

No, it doesn't happen on FireFox.

And yeah, I think you're right, it's a MS problem