Re: XP SP2 IE6 vulnerability

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 09/16/04


Date: Wed, 15 Sep 2004 22:57:12 -0400


"CnS" <cns@free.fr> wrote in message
news:fb0accb6.0409151446.44a3488d@posting.google.com...

> But there seems to be a vulnerability in Internet Explorer that allows
this
> protection to be bypassed. All that needs to be done is to add a fake
comment
> between the DOCTYPE declaration and the <html> tag that mimics those added
by
> IE when a page is saved to disk. The "fake" comments must be formatted as
> follows :
>
> <!-- saved from usr=(XXXX)URL -->

I'm not saying this isn't a potential vulnerability [I'm not convinced it is
just yet], but this behavior is by design and is documented at microsoft.com
and other places. Unless I'm mistaken, I believe XP SP2 does some checking
to try to prevent conflicting zone information from leading to a zone
escalation / cross domain attack.

> How to reproduce
> ================
>
> Install the plugin from DesignScience. Paste the
> following text in a file with an .xml extension. Open it with IE with and
> without the comment on line 4.

But if you as an attacker can modify files like this on the local hard
drive, then there are any number of ways you can compromise the system. MS
has disabled several of the ways in which an attacker could write an
arbitrary file to the hard drive via IE. I could certainly be wrong, let me
know if I am.



Relevant Pages

  • Re: SPES (my new encryption) one of its kind
    ... We generally don't state these as blatantly as that in the cipher design, ... there is a good reason which is: you can not be sure 100% that current ... it is a consistent theme in the entire history of cryptography. ... with relying on A AND B AND C AND D being true, so the attacker only has ...
    (sci.crypt)
  • Re: XP SP2 IE6 vulnerability
    ... >>But if you as an attacker can modify files like this on the local hard ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
    (microsoft.public.security)
  • Re: SPES (my new encryption) one of its kind
    ... I'm talking to someone who proposes a new cipher around here: Your design ... but that the attacker will payit over and over. ... every encryption system has advantages and dis-advantages,and every ...
    (sci.crypt)
  • Re: Symetric encryption : DES or not DES ?
    ... >> willing to invest rather heavily in consulting and design (which you ... >> symmetric encryption. ... > But isn't there still a possibility for the attacker to crack this ... and hashing place the data beyond brute fore attack. ...
    (sci.crypt)
  • Idea for enc+Auth?
    ... An attacker cannot move blocks around since the F2won't match. ... random PRP and ideally somewhat ... Open questions ... If this design isn't trivially weak I'm willing to work with someone on the ...
    (sci.crypt)