Hiding JavaScript on IE6

[iago]

http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php

This is pretty cool.  Works perfectly on my work computer.  There's a proof of concept about half way down.

[Newby]

Scary.

[Quik]

Yet another reason *not* to use MSIE?

[iago]

Update: Microsoft claims it's a feature, not a bug:

- Microsoft is aware of a public report of a vulnerability affecting
Internet Explorer.  The report indicates that Internet Explorer's
default behavior could allow a web page to not display script code when a user attempts to view the source of the page.  - Our investigation reveals that the behavior described in the public
report is not a vulnerability in the browser. Instead, this is a well
known capability of dynamic html (DHTML) and is a standard feature of
most browsers including Internet Explorer.
- Microsoft is concerned that some security researchers may not know the appropriate email alias to report security vulnerabilities to the
Microsoft Security Response Center.  Secure@microsoft.com is the public email alias for reporting security vulnerabilities to Microsoft.

- We continue to encourage all security researchers to work with
Microsoft on a confidential basis so that we can work together in
partnership to help protect Microsoft's customers and not put them at
unnecessary risk.

- We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps at www.microsoft.com/protect.

[Sidoh]

Uhh...that's kinda pathetic.

[Newby]

On a "confidential basis"?

SO that they blatently ignore your bug report until it is exploited?

Fuck that.

[Quik]

These aren't bugs, their random features we didn't know about!

[Sidoh]

On a "confidential basis"?

SO that they blatently ignore your bug report until it is exploited?

Fuck that.

Yeah, that's bullshit.

[drka]

lol i dont get this. the site says at the end that its a security risk. how?

[iago]

Because you can exploit something using a different vulnerability (this is IE, don't forget), then make the exploit code disappear and never show up so people don't realize what happened. 

[Warrior]

Update: Microsoft claims it's a feature, not a bug:

- Microsoft is aware of a public report of a vulnerability affecting
Internet Explorer.  The report indicates that Internet Explorer's
default behavior could allow a web page to not display script code when a user attempts to view the source of the page.  - Our investigation reveals that the behavior described in the public
report is not a vulnerability in the browser. Instead, this is a well
known capability of dynamic html (DHTML) and is a standard feature of
most browsers including Internet Explorer.
- Microsoft is concerned that some security researchers may not know the appropriate email alias to report security vulnerabilities to the
Microsoft Security Response Center.  Secure@microsoft.com is the public email alias for reporting security vulnerabilities to Microsoft.

- We continue to encourage all security researchers to work with
Microsoft on a confidential basis so that we can work together in
partnership to help protect Microsoft's customers and not put them at
unnecessary risk.

- We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps at www.microsoft.com/protect.

[iago]

It's still a problem.

[Warrior]

Doesn't that mean it can be used in FF too?

[Blaze]

Its a microsoft standard of DHTML, not the REAL standard.

[iago]

No, it doesn't happen on FireFox.

And yeah, I think you're right, it's a MS problem

[Krazed]

Microsoft has it's own standards, so that it can support it's own excuses. In the end, both suck. 

[01Linux]

- Microsoft is concerned that some security researchers may not know the appropriate email alias to report security vulnerabilities to the
Microsoft Security Response Center.  Secure@microsoft.com is the public email alias for reporting security vulnerabilities to Microsoft.

Translation: STOP MAKING OUR SOFTWARE LOOK INFERIOR TO OTHERS AND CONSIDER THIS A SUBTLE WAY TO HAVE YOU REPORT IT TO OUR EMAIL ADDRESS!

- We continue to encourage all security researchers to work with
Microsoft on a confidential basis so that we can work together in
partnership to help protect Microsoft's customers and not put them at
unnecessary risk.

Translation: Calling all hackers!!1 Please exploit our software more and send us a detailed explanation and the perfect way to fix it k>?!

[MyndFyre]

Guys I really don't see this as an exploit.  It's more of an annoyance to web programmers, and one that I've been dealing with since IE4.

I've known about this for quite a long time.  If there was an exploit that would work, someone would have found it already.  But IE actually unloads the old page from memory -- it doesn't "hide" it as the guy who thinks he's someone suggested.  Functions in scope create a new document via document.write, and as soon as all the functions go out of scope, a temporary page is generated in-memory and that is loaded up as a new page (note that your Back button is enabled when you go to the proof-of-concept page).

But as soon as the functions go out of scope, the system stops processing data from the old page except anything in document.unload.