SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  Microsoft Internet Explorer (IE) Vendors:  Microsoft
Microsoft Internet Explorer Lets Remote Users Obfuscate Scripting Code
SecurityTracker Alert ID:  1014174
SecurityTracker URL:  http://securitytracker.com/id?1014174
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jun 12 2005
Original Entry Date:  Jun 11 2005
Impact:  Modification of system information
Exploit Included:  Yes  
Version(s): 6 SP2
Description:  Pascal Vyncke reported a vulnerability in Microsoft Internet Explorer (IE). A remote user can obfuscate scripting code.

The IE browser does not properly process certain javascript scripting code. A remote user can create specially crafted HTML that, when loaded by the target user will execute scripting code but will not display the scripting code via the View Source function. Instead of displaying the original HTML scripting code, IE will display the scripting results in the View Source window.

Some demonstration exploit code is provided:

<script type="text/jscript">
function init() {
document.write("The time is: " + Date() );

}
window.onload = init;
</script>

A demonstration exploit is available at:

http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/exploit_javascript_ie_6_bug.htm

The vendor was notified on June 7, 2005.
Impact:  A remote user can cause scripting code to be obfuscated.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Windows (Any)
Reported By:  "Pascal Vyncke" <development@seniorennet.be>
Message History:   None.

 Source Message Contents
Date:  Wed, 8 Jun 2005 21:03:47 +0200
From:  "Pascal Vyncke" <development@seniorennet.be>
Subject:  New IE6 security hole - PRESS RELEASE

 
 
PRESS RELEASE
 
 
 
Hi,
 
 
 
I discovered a NEW security hole / exploit in IE6 with SP2 and all the latest security 
patches. 
 
 
 
Overview of the exploit:
 
    * Bug for all Microsoft Internet Explorer users
    * Can be abused by hackers to run harmful JavaScript code and can be abused to 
mislead existing protection against harmful JavaScript code, like software from Norton, 
McAfee,…
    * Can be abused to mislead the search engines Google, MSN, Yahoo, AltaVista,…
    * Unpleasant for JavaScript programmers
 
 
 
I searched the net about the bug but found nothing, so I really think it is a NEW bug.
 
 
 
All the information about the new bug (info, exploit,…) , see the page 
http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javas
cript_ie_6_internet_explorer.php  
 
 
 
The bug is reported to Microsoft.
 
I publish this bug/exploit because a know security flaw is less dangerous than an 
unknown security hole that can be used by real hackers, swindlers or racketeers.
 
 
 
For more information about me, see also the internet page above.
 
 
 
Best regards,
 
Pascal Vyncke


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC