Re: XP SP2 IE6 vulnerability
From: CnS (cns_at_free.fr)
Date: 16 Sep 2004 02:54:57 -0700
> > <!-- saved from usr=(XXXX)URL -->
> I'm not saying this isn't a potential vulnerability [I'm not convinced it is
> just yet], but this behavior is by design and is documented at microsoft.com
> and other places. Unless I'm mistaken, I believe XP SP2 does some checking
> to try to prevent conflicting zone information from leading to a zone
> escalation / cross domain attack.
Since SP2, IE's behavior has been modified and now I call it a vulnerability
because it allows security checks to be bypassed. I would have called it a
weakness or a strange behavior if security aspects - allowing or not content
to be *executed* on the computer - were not involved.
Call it whatever you like, I'm only considering what it does to make my point.
Just replace the words "saved from url=XXX" with say "bypass security checks"
I'm not saying this could be used as is. However if the goal is to restrict
the execution of some components in pages stored on the local disk, whatever
way they land there, I believe it is ineffective and potentially dangerous -
people could be lured into thinking that it is secure *since* it is stored on
the disk or that sort of thing.
As I understand it, when the comment is present the page is run in the Internet
Zone which has limited rights. What about reading files from the directory
the page is in and sending data to a remote web site ? These are actions
typically undertaken by ActiveX objects, nevertheless when executed from a
local drive they present a deep security threat.
> But if you as an attacker can modify files like this on the local hard
> drive, then there are any number of ways you can compromise the system. MS
> has disabled several of the ways in which an attacker could write an
> arbitrary file to the hard drive via IE. I could certainly be wrong, let me
> know if I am.
I believe the page itself is stored somewhere in the disk cache.
I'm a software editor selling CDROMs which contain MathML enabled web pages.
Since SP2 these pages do not run correctly in Internet Explorer. So what are
my options ?
a. MathML isn't rendered by IE anyways, deal with it. Add a warning stating
that the software will not run with XP SP2.
b. Build a customized version of Mozilla and distribute it with your content.
c. Add the fake comment to the pages so IE will think they have been
downloaded and will execute the ActiveX plugin without a hinch.
Do you really think c. is an option for me ? Do you think it is a reasonably
stable solution ?
Nah. To me this is a facet of IE's poor design.
-- Cyrille SZYMANSKI