Guest LilBambi Posted June 30, 2003 Share Posted June 30, 2003 According to one tech site, they said that GreyMagic did not release this information for 4 months to allow Microsoft time to fix it, but probably figured that after 4 months that folks needed to be aware of it regardless.To date, this has still not been fixed.GreyMagic Security Advisory GM#014-IE Topic: Script Injection to Custom HTTP Errors in Local Zone. Discovery date: 18 Feb 2003. Affected applications: Microsoft Internet Explorer 5.01, 5.5 and 6.0. Note that any other application that uses Internet Explorer's engine (WebBrowser control) is affected as well (AOL Browser, MSN Explorer, etc.). Introduction: Internet Explorer ships with various internal HTML resource files. The majority of these files are meant to handle custom HTTP errors in web sites (also called "Friendly HTTP error messages"). They all use the same basic pieces of code, with minor changes to the actual content of each resource. One of the main functions included in the resources is a method to extract the real URL from the resource URL hash. For example, if "site.com" generated a 404 HTTP error, the following URL will be internally requested by IE: res://shdoclc.dll/404_HTTP.htm#http://site.com/file.html. The function takes the part after the # sign and attempts to extract the domain of the site, in order to embed it in the content of the custom message. Discussion: We found that the above-mentioned parsing procedure has a flaw in it that may cause arbitrary script commands to be executed in the Local Zone. Leading to potential arbitrary commands execution, local file reading and other severe consequences. However, Exploiting this procedure requires user-interaction. The user must click the URL presented to it by the resource for the malicious code to execute.A sample of the vulnerable function, precisely as it appears in the resources is presented on Grey Magic's Security Advisory page.The comments in this function teach us that Microsoft had indeed attempted to protect this resource from being exploited in this way, but unfortunately failed to do so. A specially crafted value appended after the # sign can fool this function to write a "java script:" URL in the displayed link. Solution: Microsoft was notified on 20-Feb-2003. They were able to reproduce this on IE6 Gold and all versions below it. We managed to reproduce it on all versions, including IE6 SP1, with no exceptions. They plan to fix this flaw in a future service pack.There is further discussion on the page. Quote Link to comment Share on other sites More sharing options...
jbredmound Posted June 30, 2003 Share Posted June 30, 2003 Oh great, another patch...In the meantime, I have to remember not to allow this to happen.I bet when they fix it, it'll be a critical update, too. Quote Link to comment Share on other sites More sharing options...
SonicDragon Posted June 30, 2003 Share Posted June 30, 2003 What are we going to do with IE? Mozilla user here for exactly that reason Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted June 30, 2003 Share Posted June 30, 2003 I hear ya ... In Windows, I still use IE for somethings and of course Firebird. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.