New JavaScript security leak - IE6 and Opera

P

Pascal Vyncke

Hi,

I discovered a NEW security hole / exploit in IE6 with SP2 and all the
latest security patches.

Overview of the exploit:

* Bug for all Microsoft Internet Explorer users
* Can be abused by hackers to run harmful JavaScript code and can be abused
to mislead existing protection against harmful JavaScript code, like
software from Norton, McAfee,.
* Can be abused to mislead the search engines Google, MSN, Yahoo,
AltaVista,.
* Unpleasant for JavaScript programmers

All the information about the NEW bug (info, exploit,.) , see the page
http://research.seniorennet.be/Tech...law_bug_javascript_ie_6_internet_explorer.php

Best regards,
Pascal Vyncke
 
V

VK

"Security hole" is a possibility to exit from the frame of the script
sandbox, thus accomplish operations not normally allowed by the current
security model.

"Privacy exploit" (as a "minor" variant of security hole) is a
possibility to obtain personal/system information not normally exposed
by the current security model.

Your "bug" is neither of both. It's a variant of code obfuscator
harmless as it is.

Keep on searching though - nobody says nothing left to discover ;-)
 
V

VK

If you're interested in some *serious* mind work, you may jump on this
privacy exploit exposed by all current browsers with CSS support:

<https://bugzilla.mozilla.org/show_bug.cgi?id=147777>

(I know that Microsoft is starving on it too, but secretly).
Up to date it seems umpossible to fix it without disturbing browsing
experience or w/o locking a major part of browser functionality. Maybe
you will come with a fresh idea?
 
L

Lasse Reichstein Nielsen

Pascal Vyncke said:
I discovered a NEW security hole / exploit in IE6 with SP2 and all the
latest security patches.

I checked your link. This is standard use of document.write to create
a new page, only used immediately after the first page loads.
(Btw, remember to call document.close after writing)
Overview of the exploit:

* Bug for all Microsoft Internet Explorer users

It's most likely the same for all browsers, as it is standard behavior.
* Can be abused by hackers to run harmful JavaScript code and can be abused
to mislead existing protection against harmful JavaScript code, like
software from Norton, McAfee,.

If you can call document.write, you are already running Javascript
code. Harmful code might as well be run immediately instead of
being deferred to a new page.
* Can be abused to mislead the search engines Google, MSN, Yahoo,
AltaVista,.

Any way to hide content can do that. There are plenty of more
ingenious ways.
* Unpleasant for JavaScript programmers

Hardly a security problem.

I fail to see a problem.

Also, in my Opera 8, I can merely press the back button to go back to
the page with the document.write on it, and see the source without
problems. In IE, you can disable javascript if you want to see the page.

/L
 
R

Randy Webb

Pascal said:
Hi,

I discovered a NEW security hole / exploit in IE6 with SP2 and all the
latest security patches.

No you didn't, you just think you did.

Let me quote your own site:

<quote>
This bug can give totally unexpected results to a (inexperienced)
JavaScript programmer because only some output is given to the user (the
output of the JavaScript), but all the other HTML used on the page will
disappear (like a ghost).
</quote>

First, thats the way it works. Always has worked that way.
Second, the HTML didn't disappear, you just don't know how to get to it.
Third, your description of "inexperienced JavaScript programmers"
describes anyone who thinks that is a "bug"
Overview of the exploit:

* Bug for all Microsoft Internet Explorer users
* Can be abused by hackers to run harmful JavaScript code and can be abused
to mislead existing protection against harmful JavaScript code, like
software from Norton, McAfee,.

Prove that statement by providing an example of it happening. But, it
can't happen if the code is just placed in a page. Meaning, show some
code that generates harmful code that is not harmful without using this
"ghost bug" you describe.
 
H

Hallvord R. M. Steen

How did they fix it? You cannot read style properties of links?
You cannot read style properties of elements containing links
in them? (see the case
<https://bugzilla.mozilla.org/show_bug.cgi?id=147777#c50>)

I don't have Opera on me right now, could you please give me an
idea of the approach they've used?

Come on and grab a copy for testing, it's a fast download :)
http://www.opera.com/download/

The fix (available in version 8): Reading styles with getComputedStyle
returns the :link style, not the :visited even for visited links.
Trying your test cases, it seems the fix isn't watertight (and of course
there are way to many variations of styling to really cover it all) but
interestingly the response is rather random. I get "unknown" most of the
time, even for pages that *are* visited, and sometimes an incorrect
"visited" status for pages that are not, so I'd say the exploit is rather
useless with Opera's current implementation and the fix is good enough.

(I have read through the test case script but not debugged it
sufficiently to tell if the random responses are due to bugs in the
getComputedStyle implementation or by design to protect your privacy! :) )

Anyway, it's nice to see that we fix small issues even if no exploits have
been found in the wild yet and no "big" security research co has picked
them up..
 
L

Lasse Reichstein Nielsen

VK said:
How did they fix it?

How did who fix what? (Please have some context with your questions :)
I am guessing you are referring to Opera not being vulnerable to this
snooping.
You cannot read style properties of links?
You cannot read style properties of elements containing links
in them? (see the case
<https://bugzilla.mozilla.org/show_bug.cgi?id=147777#c50>)

I don't have Opera on me right now, could you please give me an
idea of the approach they've used?

It seems that getComputedStyle doesn't in fact give the rendered
style, but the style it would have had if the links were all
unvisited.

I use this page to check it:
<URL:http://www.infimum.dk/privat/snoopCheck.html>

/L
 
J

Jim Ley

The fix (available in version 8): Reading styles with getComputedStyle
returns the :link style, not the :visited even for visited links.

Which is of course grossly insufficient, as described by the testcases
in the bug, as nicely explained there's no way without hobbling all
scripting.

Please don't pretend that Opera is safe from this information leak,
it's not, and if it's to remain a viable DHTML platform then it will
never be.

Jim.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top