New IE security hole



Pascal Vyncke
07-09-2005, 10:53 PM
Hi,

I discovered a NEW security hole / exploit in IE6 with SP2 and all the
latest security patches.

Overview of the exploit:

* Bug for all Microsoft Internet Explorer users
* Can be abused by hackers to run harmful JavaScript code and can be abused
to mislead existing protection against harmful JavaScript code, like
software from Norton, McAfee,.
* Can be abused to mislead the search engines Google, MSN, Yahoo,
AltaVista,.
* Unpleasant for JavaScript programmers

All the information about the NEW horrible bug (info, exploit,.) , see the
page
http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php

Best regards,
Pascal Vyncke

Imhotep
07-09-2005, 10:53 PM
Pascal Vyncke wrote:

> Hi,
>
> I discovered a NEW security hole / exploit in IE6 with SP2 and all the
> latest security patches.
>
> Overview of the exploit:
>
> * Bug for all Microsoft Internet Explorer users
> * Can be abused by hackers to run harmful JavaScript code and can be
> abused to mislead existing protection against harmful JavaScript code,
> like software from Norton, McAfee,.
> * Can be abused to mislead the search engines Google, MSN, Yahoo,
> AltaVista,.
> * Unpleasant for JavaScript programmers
>
> All the information about the NEW horrible bug (info, exploit,.) , see the
> page
>
http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php
>
> Best regards,
> Pascal Vyncke

Nothing new...Microsoft drops the ball yet again. But hey, the new XBox
looks cool....

-Im

Karl Levinson, mvp
07-09-2005, 10:53 PM
Groan... Thanks for finding this and writing this up, that's pretty cool.

However, by only giving MS two days to fix this, you have not done the world
a favor. Would it have killed you to wait a month or two for MS to
presumably release a patch?

Your statement that "a [known] security flaw is less dangerous than an
unknown security hole that can be used by real hackers, swindlers or
racketeers" is not true, especially if you cannot turn off JavaScript for
one reason or another. You're only 20, so you don't realize that most large
enterprises such as governments and banks cannot just "turn off Javascript
for a month or two," both because it would break needed functionality, and
because many enterprises cannot test and implement changes that quickly or
that comprehensively. Security researchers in favor of full and immediate
disclosure as a method of "making the vendor take security more seriously"
rarely look to see whether their theory is actually working out that way.

Microsoft always takes at least 45 days to test and release a patch. Your
publishing this vuln will do nothing to speed up MS releasing a patch. And
if it did, that would probably be a bad thing, because it increases the risk
that their patch might break something for someone running a non-English
version of Windows in say, Belgium. That kind of problem happened two or
three times in 2004.


"Pascal Vyncke" <development-REMOVE-THIS-NOSPAM@seniorennet.be> wrote in
message news:PyQpe.114729$E46.6804526@phobos.telenet-ops.be...
> Hi,
>
> I discovered a NEW security hole / exploit in IE6 with SP2 and all the
> latest security patches.
>
> Overview of the exploit:
>
> * Bug for all Microsoft Internet Explorer users
> * Can be abused by hackers to run harmful JavaScript code and can be
abused
> to mislead existing protection against harmful JavaScript code, like
> software from Norton, McAfee,.
> * Can be abused to mislead the search engines Google, MSN, Yahoo,
> AltaVista,.
> * Unpleasant for JavaScript programmers
>
> All the information about the NEW horrible bug (info, exploit,.) , see the
> page
>
http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php
>
> Best regards,
> Pascal Vyncke
>
>

Imhotep
07-09-2005, 10:53 PM
Karl Levinson, mvp wrote:

> Groan... Thanks for finding this and writing this up, that's pretty cool.
>
> However, by only giving MS two days to fix this, you have not done the
> world
> a favor. Would it have killed you to wait a month or two for MS to
> presumably release a patch?
>
> Your statement that "a [known] security flaw is less dangerous than an
> unknown security hole that can be used by real hackers, swindlers or
> racketeers" is not true, especially if you cannot turn off JavaScript for
> one reason or another. You're only 20, so you don't realize that most
> large enterprises such as governments and banks cannot just "turn off
> Javascript for a month or two," both because it would break needed
> functionality, and because many enterprises cannot test and implement
> changes that quickly or
> that comprehensively. Security researchers in favor of full and immediate
> disclosure as a method of "making the vendor take security more seriously"
> rarely look to see whether their theory is actually working out that way.
>
> Microsoft always takes at least 45 days to test and release a patch. Your
> publishing this vuln will do nothing to speed up MS releasing a patch.
> And if it did, that would probably be a bad thing, because it increases
> the risk that their patch might break something for someone running a
> non-English
> version of Windows in say, Belgium. That kind of problem happened two or
> three times in 2004.
>
>
> "Pascal Vyncke" <development-REMOVE-THIS-NOSPAM@seniorennet.be> wrote in
> message news:PyQpe.114729$E46.6804526@phobos.telenet-ops.be...
>> Hi,
>>y
>> I discovered a NEW security hole / exploit in IE6 with SP2 and all the
>> latest security patches.
>>
>> Overview of the exploit:
>>
>> * Bug for all Microsoft Internet Explorer users
>> * Can be abused by hackers to run harmful JavaScript code and can be
> abused
>> to mislead existing protection against harmful JavaScript code, like
>> software from Norton, McAfee,.
>> * Can be abused to mislead the search engines Google, MSN, Yahoo,
>> AltaVista,.
>> * Unpleasant for JavaScript programmers
>>
>> All the information about the NEW horrible bug (info, exploit,.) , see
>> the page
>>
>
http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php
>>
>> Best regards,
>> Pascal Vyncke
>>
>>

A couple of things I disagree with you on. Most companies have some sort of
http proxy/application layer filter. I simply limited the sites that our
users can use javascript to (company related, company partners, etc). I
created this list from the last time IE had javascript "issues". Second,
saying Microsoft needs 45 days to fix this is a load of cow "flap". That is
nothing more than an excuse. Microsoft should have a shorter window than
that. They are the riches company on the Planet, so hire more people. That
"window" should not be larger than a week....

Simply, hiding the fact that this exists is lame at best. If this guy
discovered it who is to say it has not been known for some time by people
who are currently using the technique? Really, this technique could have
been in use for months or more already....

Posting allows people like my self to take immediate action to at least
limit this gapping hole, yet again, in a MS product. Security by obscurity
never works....

-Im

Michael Evanchik
07-09-2005, 10:53 PM
this doesnt do anything critical at all

www.michaelevanchik.com

"Imhotep" wrote:

> Karl Levinson, mvp wrote:
>
> > Groan... Thanks for finding this and writing this up, that's pretty cool.
> >
> > However, by only giving MS two days to fix this, you have not done the
> > world
> > a favor. Would it have killed you to wait a month or two for MS to
> > presumably release a patch?
> >
> > Your statement that "a [known] security flaw is less dangerous than an
> > unknown security hole that can be used by real hackers, swindlers or
> > racketeers" is not true, especially if you cannot turn off JavaScript for
> > one reason or another. You're only 20, so you don't realize that most
> > large enterprises such as governments and banks cannot just "turn off
> > Javascript for a month or two," both because it would break needed
> > functionality, and because many enterprises cannot test and implement
> > changes that quickly or
> > that comprehensively. Security researchers in favor of full and immediate
> > disclosure as a method of "making the vendor take security more seriously"
> > rarely look to see whether their theory is actually working out that way.
> >
> > Microsoft always takes at least 45 days to test and release a patch. Your
> > publishing this vuln will do nothing to speed up MS releasing a patch.
> > And if it did, that would probably be a bad thing, because it increases
> > the risk that their patch might break something for someone running a
> > non-English
> > version of Windows in say, Belgium. That kind of problem happened two or
> > three times in 2004.
> >
> >
> > "Pascal Vyncke" <development-REMOVE-THIS-NOSPAM@seniorennet.be> wrote in
> > message news:PyQpe.114729$E46.6804526@phobos.telenet-ops.be...
> >> Hi,
> >>y
> >> I discovered a NEW security hole / exploit in IE6 with SP2 and all the
> >> latest security patches.
> >>
> >> Overview of the exploit:
> >>
> >> * Bug for all Microsoft Internet Explorer users
> >> * Can be abused by hackers to run harmful JavaScript code and can be
> > abused
> >> to mislead existing protection against harmful JavaScript code, like
> >> software from Norton, McAfee,.
> >> * Can be abused to mislead the search engines Google, MSN, Yahoo,
> >> AltaVista,.
> >> * Unpleasant for JavaScript programmers
> >>
> >> All the information about the NEW horrible bug (info, exploit,.) , see
> >> the page
> >>
> >
> http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php
> >>
> >> Best regards,
> >> Pascal Vyncke
> >>
> >>
>
> A couple of things I disagree with you on. Most companies have some sort of
> http proxy/application layer filter. I simply limited the sites that our
> users can use javascript to (company related, company partners, etc). I
> created this list from the last time IE had javascript "issues". Second,
> saying Microsoft needs 45 days to fix this is a load of cow "flap". That is
> nothing more than an excuse. Microsoft should have a shorter window than
> that. They are the riches company on the Planet, so hire more people. That
> "window" should not be larger than a week....
>
> Simply, hiding the fact that this exists is lame at best. If this guy
> discovered it who is to say it has not been known for some time by people
> who are currently using the technique? Really, this technique could have
> been in use for months or more already....
>
> Posting allows people like my self to take immediate action to at least
> limit this gapping hole, yet again, in a MS product. Security by obscurity
> never works....
>
> -Im
>

Imhotep
07-09-2005, 10:53 PM
Michael Evanchik wrote:

> this doesnt do anything critical at all
>
> www.michaelevanchik.com
>
> "Imhotep" wrote:
>
>> Karl Levinson, mvp wrote:
>>
>> > Groan... Thanks for finding this and writing this up, that's pretty
>> > cool.
>> >
>> > However, by only giving MS two days to fix this, you have not done the
>> > world
>> > a favor. Would it have killed you to wait a month or two for MS to
>> > presumably release a patch?
>> >
>> > Your statement that "a [known] security flaw is less dangerous than an
>> > unknown security hole that can be used by real hackers, swindlers or
>> > racketeers" is not true, especially if you cannot turn off JavaScript
>> > for
>> > one reason or another. You're only 20, so you don't realize that most
>> > large enterprises such as governments and banks cannot just "turn off
>> > Javascript for a month or two," both because it would break needed
>> > functionality, and because many enterprises cannot test and implement
>> > changes that quickly or
>> > that comprehensively. Security researchers in favor of full and
>> > immediate disclosure as a method of "making the vendor take security
>> > more seriously" rarely look to see whether their theory is actually
>> > working out that way.
>> >
>> > Microsoft always takes at least 45 days to test and release a patch.
>> > Your publishing this vuln will do nothing to speed up MS releasing a
>> > patch. And if it did, that would probably be a bad thing, because it
>> > increases the risk that their patch might break something for someone
>> > running a non-English
>> > version of Windows in say, Belgium. That kind of problem happened two
>> > or three times in 2004.
>> >
>> >
>> > "Pascal Vyncke" <development-REMOVE-THIS-NOSPAM@seniorennet.be> wrote
>> > in message news:PyQpe.114729$E46.6804526@phobos.telenet-ops.be...
>> >> Hi,
>> >>y
>> >> I discovered a NEW security hole / exploit in IE6 with SP2 and all the
>> >> latest security patches.
>> >>
>> >> Overview of the exploit:
>> >>
>> >> * Bug for all Microsoft Internet Explorer users
>> >> * Can be abused by hackers to run harmful JavaScript code and can be
>> > abused
>> >> to mislead existing protection against harmful JavaScript code, like
>> >> software from Norton, McAfee,.
>> >> * Can be abused to mislead the search engines Google, MSN, Yahoo,
>> >> AltaVista,.
>> >> * Unpleasant for JavaScript programmers
>> >>
>> >> All the information about the NEW horrible bug (info, exploit,.) , see
>> >> the page
>> >>
>> >
>>
http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php
>> >>
>> >> Best regards,
>> >> Pascal Vyncke
>> >>
>> >>
>>
>> A couple of things I disagree with you on. Most companies have some sort
>> of http proxy/application layer filter. I simply limited the sites that
>> our users can use javascript to (company related, company partners, etc).
>> I created this list from the last time IE had javascript "issues".
>> Second, saying Microsoft needs 45 days to fix this is a load of cow
>> "flap". That is nothing more than an excuse. Microsoft should have a
>> shorter window than that. They are the riches company on the Planet, so
>> hire more people. That "window" should not be larger than a week....
>>
>> Simply, hiding the fact that this exists is lame at best. If this guy
>> discovered it who is to say it has not been known for some time by people
>> who are currently using the technique? Really, this technique could have
>> been in use for months or more already....
>>
>> Posting allows people like my self to take immediate action to at least
>> limit this gapping hole, yet again, in a MS product. Security by
>> obscurity never works....
>>
>> -Im
>>

....would be nice if you elaborated a little...

-Im

Karl Levinson, mvp
07-09-2005, 10:53 PM
"Imhotep" <NoSpam@NoThanks.com> wrote in message
news:2r5qe.9589$tr.7589@fed1read03...

> A couple of things I disagree with you on. Most companies have some sort
of
> http proxy/application layer filter.

I feel it's not quite that simple... Many large enterprises have proxy
servers but have unknown numbers of users and apps that require JavaScript,
while many small businesses don't have proxy servers. Most home users don't
read security bulletins to make manual changes. Many of them don't even
enable automatic updates. I would say the amount of total Internet users
behind proxies is probably less than 50%, and of those, the number that can
safely disable JavaScript and do it in less than 30 days is much lower than
50%.

> I simply limited the sites that our
> users can use javascript to (company related, company partners, etc). I
> created this list from the last time IE had javascript "issues". Second,
> saying Microsoft needs 45 days to fix this is a load of cow "flap". That
is
> nothing more than an excuse. Microsoft should have a shorter window than
> that. They are the riches company on the Planet, so hire more people. That
> "window" should not be larger than a week....

You are wrong. People are cheap, much cheaper than bad press and lost
customers. If it was as simple as adding more people, MS would have already
done it. A million paid MS employees doing QA testing still can't replicate
all the hardware and software applications being used by real people in the
real world. The reality we face is that it has taken MS 45 days for every
single patch for the past 2 years. Even then, MS had to re-release two or
three of their patches from 2004 due to problems, twice due to problems with
language localized versions of Windows. MS knows this is a problem and can
probably make this better, but only with future versions of Windows.

> Simply, hiding the fact that this exists is lame at best. If this guy
> discovered it who is to say it has not been known for some time by people
> who are currently using the technique? Really, this technique could have
> been in use for months or more already....

It hasn't, but if it has, another month isn't that big a deal.

> Posting allows people like my self to take immediate action to at least
> limit this gapping hole, yet again, in a MS product.

Unfortunately, "people like yourself" who can secure yourself against this
is far far less than 50% of the MS customer base, and is close to 0% of home
users.

> Security by obscurity never works....

That's just not true. You should never rely solely on security by
obscurity, but obscurity is not useless. Obscurity can and does still add
security. The book "Writing Secure Code v2" backs this up.

Releasing security bulletins to the general public when there is no
practical solution does nothing but create panic, which is not useful. If
this was a vague terrorism warning with no good solution, instead of a
computer security warning with no good solution, this fact would be more
obvious.

Besides, if you really wanted to make the world safer by letting the world
know, the best way to do this would be to let MS announce it where all
interested parties know where to look. Announcing it here in Usenet and in
a personal web page means that relatively few people will read it, and the
world is less safe, not more safe. MS would also have tested the
workarounds and given a threat level assessment that help people know
seriously to take this.

Imhotep
07-09-2005, 10:53 PM
Karl Levinson, mvp wrote:

>
> "Imhotep" <NoSpam@NoThanks.com> wrote in message
> news:2r5qe.9589$tr.7589@fed1read03...
>
>> A couple of things I disagree with you on. Most companies have some sort
> of
>> http proxy/application layer filter.
>
> I feel it's not quite that simple... Many large enterprises have proxy
> servers but have unknown numbers of users and apps that require
> JavaScript,
> while many small businesses don't have proxy servers. Most home users
> don't
> read security bulletins to make manual changes. Many of them don't even
> enable automatic updates. I would say the amount of total Internet users
> behind proxies is probably less than 50%, and of those, the number that
> can safely disable JavaScript and do it in less than 30 days is much lower
> than 50%.


Yes, most home users do not have a proxy server. This is true. However,
large companies that have critical data (yes, even YOUR data) need to
protect it. Think about a credit card database. These companies need to
know right away when there is an un-patched security hole so, they can
protect their data (and yes, your data too in the example of a credit card
database).


>> I simply limited the sites that our
>> users can use javascript to (company related, company partners, etc). I
>> created this list from the last time IE had javascript "issues". Second,
>> saying Microsoft needs 45 days to fix this is a load of cow "flap". That
> is
>> nothing more than an excuse. Microsoft should have a shorter window than
>> that. They are the riches company on the Planet, so hire more people.
>> That "window" should not be larger than a week....
>
> You are wrong. People are cheap, much cheaper than bad press and lost
> customers. If it was as simple as adding more people, MS would have
> already
> done it. A million paid MS employees doing QA testing still can't
> replicate all the hardware and software applications being used by real
> people in the
> real world. The reality we face is that it has taken MS 45 days for every
> single patch for the past 2 years. Even then, MS had to re-release two or
> three of their patches from 2004 due to problems, twice due to problems
> with
> language localized versions of Windows. MS knows this is a problem and
> can probably make this better, but only with future versions of Windows.

No, I am afraid you are wrong. That's look at this logically shall we? You
are saying that 45 days is enough, right? What is 45 days in man hours? So,
you are saying that by doubling the people working on their patches this 45
days could not be reduced? You are wrong...

Microsoft is on the 45 (or more) day patch time simply because they can get
away with it. Pure and simple. They have the market share and could not
careless...


>> Simply, hiding the fact that this exists is lame at best. If this guy
>> discovered it who is to say it has not been known for some time by people
>> who are currently using the technique? Really, this technique could have
>> been in use for months or more already....
>
> It hasn't, but if it has, another month isn't that big a deal.

It has not? Is that what your crystal ball is telling you? Logically you do
not know who was the *first* to discover it. All you know is, who was the
first to *report* it...

And yes another month is a big deal. Do you have any clue about what you are
talking about. Do you have any clue about security at all?

>> Posting allows people like my self to take immediate action to at least
>> limit this gapping hole, yet again, in a MS product.
>
> Unfortunately, "people like yourself" who can secure yourself against this
> is far far less than 50% of the MS customer base, and is close to 0% of
> home users.

Although I feel bad for the home users, it is the corporations that worry
me. A leakage of say, a credit card database, can have serious
consequences. Not only legal responsibilities for the company that "lost"
the data but also, can be a nightmare for the person who's info was lost.
Now add to the fact that someone has to "eat" the bill like the credit card
company itself. Who do you really think pays the tab? The credit card
company? Nope. You and me...


>> Security by obscurity never works....
>
> That's just not true. You should never rely solely on security by
> obscurity, but obscurity is not useless. Obscurity can and does still add
> security. The book "Writing Secure Code v2" backs this up.

Obscurity leads to a false felling of security due to the fact some ignorant
and incompetent person believes that they are more "secure" because of it.
Obscurity hurts more than it helps. Always has and always will.

> Releasing security bulletins to the general public when there is no
> practical solution does nothing but create panic, which is not useful. If
> this was a vague terrorism warning with no good solution, instead of a
> computer security warning with no good solution, this fact would be more
> obvious.

WRONG! Releasing info right away helps medium and large corporations protect
YOUR data! Since a competent staff will find a temp work around to protect
itself. As I did at my company. The problem is that MS cares more about
it's image than true security to the point is has conviced people like you
into actually believe the BS about not releasing the info...

Like I said before, you will never truly know when a security hole was
discovered. You really only know who was the first to report it. Think
about that. There is a very important difference there...


> Besides, if you really wanted to make the world safer by letting the world
> know, the best way to do this would be to let MS announce it where all
> interested parties know where to look. Announcing it here in Usenet and
> in a personal web page means that relatively few people will read it, and
> the
> world is less safe, not more safe. MS would also have tested the
> workarounds and given a threat level assessment that help people know
> seriously to take this.

Do you really believe the spew coming out of your mouth? WRONG! It was
announced here (and other newsgroups) so dedicated security personnel could
install a work around. Face it, Microsoft just takes too long because they
can. I hope some day companies get smart and start a class action
lawsuit.....

Any patch that takes more than 7 days is too long to wait...and we are all
suckers for not holding Microsoft accountable.....

Karl Levinson, mvp
07-09-2005, 10:53 PM
"Imhotep" <NoSpam@NoThanks.com> wrote in message
news:cVBqe.9743$tr.1025@fed1read03...

> Yes, most home users do not have a proxy server. This is true. However,
> large companies that have critical data (yes, even YOUR data) need to
> protect it. Think about a credit card database. These companies need to
> know right away when there is an un-patched security hole so, they can
> protect their data (and yes, your data too in the example of a credit card
> database).

Maybe you've never tried to push a critical patch to an enterprise of
700,000+ systems in small remote sites of 3 users each, including mobile
moving offices, across the world. It takes way more than a day, a week,
sometimes more than a month, and after a month, another patch has come out,
starting the process all over again before the first one is finished being
installed. And then certain patches are re-released due to problems, and
that affects the people who already deployed those patches immediately.

And then some site support technicians or department heads ignore the demand
from HQ that a patch be installed within X number of days, because they are
understaffed and the money comes from the customers and the regional
operations office, not the central HQ IT security office. Taking an admin
away from his desk to work on pushing patches every single month delays work
on a critical money making application or important sales person's laptop
problem, and that won't do.

As an aside, this is why it is a good thing that MS is choosing to release
patches just once a month, and Oracle patches just four times a year, and
why the customers of both are applauding this idea. Yes, patches and
keeping data secure are important, but keeping the company out of bankruptcy
will always be more important than security, and rightly so. Security is
actually enhanced by delaying the release of patches up to 30 days or more,
by reducing work for the sysadmins who do the patching and testing. MS is
releasing more than 7 bulletins and patches this month, that would average
about two patches a week just for Microsoft products alone, and previous
months have been the same. No one can successfully run a large enterprise
while patching that often, they would go bankrupt and/or never get anything
done.


> No, I am afraid you are wrong. That's look at this logically shall we? You
> are saying that 45 days is enough, right? What is 45 days in man hours?
So,
> you are saying that by doubling the people working on their patches this
45
> days could not be reduced? You are wrong...

It doesn't work that way. Patch testing does not just involve MS employees,
it involves unpaid volunteers from outside of MS. Increasing the number of
volunteer testers increases patch quality, and reduces the chance that
you'll have to delay patch release due to some testers slacking off and not
submitting input by the deadline. If you have 1,000 unpaid testers and gave
them a deadline of a week to test, and then you added 10,000 more unpaid
testers, you couldn't then reduce your deadline to a day or three, they'd
still need a week, and if any problems were found, that means making a
change and testing for another week. By your logic, you should be able to
add a million people and take the patch release time down to 15 minutes.
But you can't.

> Microsoft is on the 45 (or more) day patch time simply because they can
get
> away with it. Pure and simple. They have the market share and could not
> careless...

Well, they're patching once a month because customers wanted that.
Customers also said they weren't installing patches because they were afraid
of some of the past patching problems. That was a problem as well. MS has
made their patches more reliable, again at customer request.

> > It hasn't, but if it has, another month isn't that big a deal.
>
> It has not? Is that what your crystal ball is telling you? Logically you
do
> not know who was the *first* to discover it. All you know is, who was the
> first to *report* it...
>
> And yes another month is a big deal. Do you have any clue about what you
are
> talking about. Do you have any clue about security at all?

Yes, I do. Security is about managing risk. Managing risk sometimes means
proactively reducing risk or the impact of a threat, if it saves you money
or work to do so, but it almost always means accepting some risk and some
inevitable security violations. It's not about preventing compromises or
making your network an impenatrable fortress. For an average copper-wired
TCP/IP network using ARP and switches and SSL / HTTPS / WPA encryption that
is trivial to break or hijack, this just isn't feasible to even try to do.

> > Unfortunately, "people like yourself" who can secure yourself against
this
> > is far far less than 50% of the MS customer base, and is close to 0% of
> > home users.
>
> Although I feel bad for the home users, it is the corporations that worry
> me. A leakage of say, a credit card database, can have serious
> consequences.

As Microsoft and others have found, corporations are often compromised via
home users. A greater and greater percentage of workers are processing work
data from home at least once in a while.

> >> Security by obscurity never works....
> >
> > That's just not true. You should never rely solely on security by
> > obscurity, but obscurity is not useless. Obscurity can and does still
add
> > security. The book "Writing Secure Code v2" backs this up.
>
> Obscurity leads to a false felling of security due to the fact some
ignorant
> and incompetent person believes that they are more "secure" because of it.
> Obscurity hurts more than it helps. Always has and always will.
>
> > Releasing security bulletins to the general public when there is no
> > practical solution does nothing but create panic, which is not useful.
If
> > this was a vague terrorism warning with no good solution, instead of a
> > computer security warning with no good solution, this fact would be more
> > obvious.
>
> WRONG! Releasing info right away helps medium and large corporations
protect
> YOUR data!

But only if there is a practical solution. A security warning without
actionable information just causes panic.

And even if the bulletin does have some kind of workaround solution, often
it is a solution that the enterprise cannot feasibly implement due to
application requirements, or that the enterprise decides not to implement
because the workaround is more costly or burdensome in some way than
implementing the workaround.

Most enterprises are very unlikely to take a drastic measure like an
emergency configuration change only if that information came from a trusted
source such as a paid vendor relationship, not some guy on the Internet. So
again, your bank isn't likely to take action unless the security bug finder
works with MS to have MS release it. Even then, most enterprises don't
enact emergency workarounds ever, unless there is already a clearly
documented threat. Most enterprises just harden machines, install patches
on the fastest regular schedule they can muster, and have an incident
response team to clean up the inevitable messes.

> Since a competent staff will find a temp work around to protect
> itself. As I did at my company. The problem is that MS cares more about
> it's image than true security to the point is has conviced people like you
> into actually believe the BS about not releasing the info...

Even the people in the security community who are in favor of releasing info
about unpatched vulnerabilities are almost unanimously against releasing
fully functional attack exploit code like this person did. What's to stop
an attacker from just re-using or modifying this code directly? Wide spread
attacks of various vulnerabilities have happened demonstrably faster when
some kind of example attack code was posted by the bug finder. Such attacks
have been deconstructed and found to have borrowed attack code from the bug
finder. That leaves the bug finder open to civil and legal liability, a
position the bug finder should not want to be in.

> Do you really believe the spew coming out of your mouth? WRONG! It was
> announced here (and other newsgroups) so dedicated security personnel
could
> install a work around.

How many enterprises do you think are really reading the information here in
this newsgroup, and then convince their businesses to act on it? If there
are any out there, speak up now. Most enterprises wait until a vuln is
reported in the mainstream media.

> Any patch that takes more than 7 days is too long to wait...and we are all
> suckers for not holding Microsoft accountable.....

I didn't say anything about not holding MS accountable. I've asked them
myself what they are doing to fix this big problem, and I got a reasonable
answer. I just don't believe it can happen with the currently released
versions of Windows, due to the architecture choices made.

But I also hold the bug finders accountable. Windows is more secure than
ever before, but it is also more vulnerable than ever before, due in part to
more and more bug finders releasing public information on unpatched
vulnerabilities. They usually make claims about this being to save the
world from insecure software, but the real reason is often because unpatched
vulns become big news and make free publicity for the finder. This is a
selfish reason that does not save humanity as claimed.

Joe Richards [MVP]
07-09-2005, 10:53 PM
I am not even sure there is a bug here. Even if there is a bug, I wouldn't say
it was a security hole, though a security exploit might utilize this in
conjunction with a real security hole, maybe, doubtful, but maybe. Not being
able to see the source is not a security hole. Most people don't look at the
source and if the source executes, it is already too late if the code is a real
security issue. If someone knowledgable does want to look at the source, they
probably understand multiple mechanisms to get it in and out of IE.

You are actually incorrect in that you have to close IE and reopen to get it to
run the script again. You simply have to go to a different page and then reenter
the URL. Depending on your temporary file settings this may or may not generate
a call back to the server to see if there is a newer page. In either case, the
script will be run again because the raw document will be parsed through again.

In my mind, the question is what exactly should happen when doing a
document.write after the onload event occurs. I don't think that is spelled out
by standard, if you have found that it is, please point me at the specific
document and section. Otherwise, that would mean, at least to me, that both the
vendor chosing to honor the write and overwrite the document[1] or ignoring the
write entirely would both be valid choices. The fact that Firefox ignores it and
IE doesn't doesn't mean there is a bug or security hole here, just that they
have different implementations for something undefined by standard.

The fact that it doesn't properly reload the page when you refresh is probably
due to the fact that the page rendered is not improper HTML. There *may* be a
bug here in that for some reason IE won't ask the server if the page has been
updated. Though it does so if you leave the page and reenter the URL. Both of
those functions should operate similarly so it is simply inconsistent.

Quite honestly, it really doesn't look like any real research was put into this.
If anything it sounds like your statement "This bug can give totally unexpected
results to a (inexperienced) JavaScript programmer " is self descriptive and you
ran into it and wrote it up as a security hole. I wouldn't be entirely surprised
if the work I put into writing the response was more research than was put into
the original document.

joe



[1] All page tags should already be closed at the point of the window.onload
event so it wouldn't be correct to append to the current document.


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Pascal Vyncke wrote:
> Hi,
>
> I discovered a NEW security hole / exploit in IE6 with SP2 and all the
> latest security patches.
>
> Overview of the exploit:
>
> * Bug for all Microsoft Internet Explorer users
> * Can be abused by hackers to run harmful JavaScript code and can be abused
> to mislead existing protection against harmful JavaScript code, like
> software from Norton, McAfee,.
> * Can be abused to mislead the search engines Google, MSN, Yahoo,
> AltaVista,.
> * Unpleasant for JavaScript programmers
>
> All the information about the NEW horrible bug (info, exploit,.) , see the
> page
> http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php
>
> Best regards,
> Pascal Vyncke
>
>

karen
07-09-2005, 10:54 PM
"Imhotep" <NoSpam@NoThanks.com> wrote in message
news:2r5qe.9589$tr.7589@fed1read03...
> Karl Levinson, mvp wrote:
>
>>
>> Microsoft always takes at least 45 days to test and release a patch.
>> Your
>> publishing this vuln will do nothing to speed up MS releasing a patch.
>> And if it did, that would probably be a bad thing, because it increases
>> the risk that their patch might break something for someone running a
>> non-English
>> version of Windows in say, Belgium. That kind of problem happened two or
>> three times in 2004.
>>
>>
>
> A couple of things I disagree with you on. Most companies have some sort
> of
> http proxy/application layer filter. I simply limited the sites that our
> users can use javascript to (company related, company partners, etc). I
> created this list from the last time IE had javascript "issues". Second,
> saying Microsoft needs 45 days to fix this is a load of cow "flap". That
> is
> nothing more than an excuse. Microsoft should have a shorter window than
> that. They are the riches company on the Planet, so hire more people. That
> "window" should not be larger than a week....
>

Except that hiring more people initially slows down a job, and often won't
ever make things go any faster. Programming requires communication between
people on the team, and if there are more people, more time is spent
communicating, and less is spent programming. A smaller team is often much
faster than a larger team.
-karen


New IE security hole