Re: XP SP2 IE6 vulnerability

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 09/16/04


Date: Wed, 15 Sep 2004 22:57:12 -0400


"CnS" <cns@free.fr> wrote in message
news:fb0accb6.0409151446.44a3488d@posting.google.com...

> But there seems to be a vulnerability in Internet Explorer that allows
this
> protection to be bypassed. All that needs to be done is to add a fake
comment
> between the DOCTYPE declaration and the <html> tag that mimics those added
by
> IE when a page is saved to disk. The "fake" comments must be formatted as
> follows :
>
> <!-- saved from usr=(XXXX)URL -->

I'm not saying this isn't a potential vulnerability [I'm not convinced it is
just yet], but this behavior is by design and is documented at microsoft.com
and other places. Unless I'm mistaken, I believe XP SP2 does some checking
to try to prevent conflicting zone information from leading to a zone
escalation / cross domain attack.

> How to reproduce
> ================
>
> Install the plugin from DesignScience. Paste the
> following text in a file with an .xml extension. Open it with IE with and
> without the comment on line 4.

But if you as an attacker can modify files like this on the local hard
drive, then there are any number of ways you can compromise the system. MS
has disabled several of the ways in which an attacker could write an
arbitrary file to the hard drive via IE. I could certainly be wrong, let me
know if I am.