XP SP2 IE6 vulnerability

From: CnS (cns_at_free.fr)
Date: 09/16/04

Date: 15 Sep 2004 15:46:57 -0700

Background information

Windows XP Service Pack 2 has introduced new features that improve browsing
security in Internet Explorer. Most of them are additional messages that force
the user to validate everything that is done by the browser. Most of these
messages are displayed in the new Information Bar. For example if you try to
open a web page that contains Javascript code or ActiveX objects, it is likely
that they will be blocked, the Information Bar will appear and offer you to
reload the page with the untrustworthy components enabled.

More information can be found at:

The side effect of these features is that some web sites can't be used as
easily as before because the user has to respond to an increasing number
of notifications and questions.

Vulnerability Explained

As an example I created a simple XHTML document containing MathML and installed
the MathPlayer ActiveX plugin from DesignScience (http://www.dessci.com/en).
This type of document used to render correctly in IE6 but since SP2 was
installed the new features interfere with the loading of the component : the
page is first loaded without MathPlayer which has to be enabled via the
Information Bar.

But there seems to be a vulnerability in Internet Explorer that allows this
protection to be bypassed. All that needs to be done is to add a fake comment
between the DOCTYPE declaration and the <html> tag that mimics those added by
IE when a page is saved to disk. The "fake" comments must be formatted as
follows :

<!-- saved from usr=(XXXX)URL -->

where URL is to be replaced by an URL (for instance http://www.example.com/)
and XXXX by a 4 digit integer that represents the number of characters in
the URL (for instance 0023).

System Affected

Windows XP Pro and Home editions with SP2
IE 6.0 (SP2)

How to reproduce

Install the plugin from DesignScience. Paste the
following text in a file with an .xml extension. Open it with IE with and
without the comment on line 4.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus MathML 2.0//EN"
<!-- saved from url=(0023)http://www.example.com/ -->
<html xmlns="http://www.w3.org/1999/xhtml">
<TITLE>IE Vulnerability example</TITLE>
<math displaystyle="true" xmlns="&mathml;">


This also works with pages containing Javascript code.


Relevant Pages

  • Re: IE Explorer will not open - msrating.dll
    ... Thank you for the update information. ... Troubleshooting Secure Sites in WinXP SP2 ... Detailed description of the data execution prevention feature in Windows XP ... What's New for Internet Explorer and Outlook Express ...
  • Re: Has SP2 been issued by MS yet?
    ... > Has Windows XP SP2 been issued yet? ... link on the first page about the "Top 10 reasons to install Windows XP ... the address by opening Internet Explorer, ... Stand-Alone download for SP2 ...
  • Re: IE HANGS
    ... Windows XP SP2 ... Internet Explorer provided by Comcast ...
  • Re: "active content"
    ... I'm running Win XP SP2 and I had no trouble with the site at all. ... Description of the Internet Explorer Information Bar in Windows XP SP2 ... > JavaScript and embedded Flash files now don't work. ...
  • IE6 + XP SP2 Vulnerability
    ... The side effect of these features is that some web sites can't be used ... But there seems to be a vulnerability in Internet Explorer that allows ... Windows XP Pro and Home editions with SP2 ...