Bugtraq mailing list archives
Re: IE 5 security vulnerablity - circumventing Cross-framesecurity policy using Java/JavaScript (and disabling ActiveScripting is not that easy)
From: joro () NAT BG (Georgi Guninski)
Date: Mon, 24 Apr 2000 15:37:29 +0300
I made a mistake in my Advisory #10 - Scripting of Java applets does not stop neither a little modification of my exploit nor execution of Active Scripting if it is disabled. Before writing my advisory I tested one time an exploit with Scripitng of Java Applets disabled and it did stop the exploit - obviously I have made a mistake and missed something or there is some strange timing issue with Internet Explorer. Now the same exploit works fine. Thanks to Mr. TAKAGI for letting me know. So the only solution to stop the exploit and execution of Active Scripting is to disable Java. "TAKAGI, Hiromitsu" wrote:
Note: This is NOT a bug in the Java language, this is a bug in Microsoft's implementation of Java in IE.It is not a bug in implementation of "Java". The class JSObject that is the magic code of the vulnerability is not included in the standard Java API and is included in the package netscape.javascript that is an extension library provided by Netscape or Microsoft. So, it sounds better to say, "This is NOT a bug of Java, this is a bug in Microsoft's implementation of the extension Java package for JavaScript".
I am not a Java expert and shall not argue about that. Hope the readers understand my point.
If you have Java enabled and Scripting of Java applets enabled, Active^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^Scripting may be executed.So, to really disable Active Scripting disable Active Scripting and disable Java and/or Scripting of Java applets.^^Workaround: Disable Java or disable Scripting of Java applets^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Disabling "Scripting of Java applets" seems to have no relation with the vulnerability. Your exploit code can be refined as the following code which does not use the function "Scripting of Java applets". This modified version of Guninski's demo is available here. http://java-house.etl.go.jp/~takagi/java/test/Guninski-jsinject-modified/ I confirmed that it is still vulnerable under disabling "Scripting of Java applets".
This is correct. Regards, Georgi Guninski
Current thread:
- RFP2K03: Contemplations on dvwssr.dll and its affects on life, (continued)
- RFP2K03: Contemplations on dvwssr.dll and its affects on life rain forest puppy (Apr 20)
- Microsoft Security Bulletin (MS00-026) Microsoft Product Security (Apr 20)
- Re: IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy) TAKAGI, Hiromitsu (Apr 20)
- freebsd libncurses overflow Przemyslaw Frasunek (Apr 24)
- Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
- Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
- Re: freebsd libncurses overflow Przemyslaw Frasunek (Apr 25)
- freebsd libncurses overflow Przemyslaw Frasunek (Apr 24)
- Re: freebsd libncurses overflow Bill Fumerola (Apr 24)
- Re: freebsd libncurses overflow Theo de Raadt (Apr 26)
- Denial of Service Against pcAnywhere. Vacuum (Apr 25)
- Re: ZoneAlarm Gary Buckmaster (Apr 22)
- CVS DoS Michal Szymanski (Apr 23)
- Re: CVS DoS Kris Kennaway (Apr 24)
- Re: CVS DoS Kris Kennaway (Apr 24)
- finding Meeting Maker passwords using tcpdump mhpower () MIT EDU (Apr 24)
- ZoneAlarm Vulnerability Alfred Huger (Apr 25)
- Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Laurent LEVIER (Apr 25)
- Re: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Casper Dik (Apr 26)