WARNING: Javascript bug IE 6Error reported to Microsoft on
Jun 07 2005 and again on Jun 08 2005, error reported to Opera on Jun 08 2005
Informed Google, MSN, Yahoo/AltaVista, Ilse, Lycos, Excite, Webcrawler on Jun 08 2005 Informed Norton, McAfee on Jun 08 2005 DUTCH VERSION / NEDERLANDSTALIGE VERSIE, KLIK HIER Summary:
The “JavaScript Ghost bug” I, Pascal Vyncke, have found a bug in Internet Explorer 6, in the processing of JavaScript in Internet Explorer 6. Probable are previous versions of Internet Explorer 6 SP2 also vulnerable for this security flaw. The bug in IE6, I call it the “JavaScript Ghost bug” makes it possible to run a JavaScript on the computer of the surfer, but the source code of the JavaScript cannot be seen by the surfer and is also “forgotten” by IE6. The JavaScript IE 6 exploit:
This bug can give totally unexpected results to a (inexperienced) JavaScript programmer because only some output is given to the user (the output of the JavaScript), but all the other HTML used on the page will disappear (like a ghost). This bug is not only a bug and can be unpleasant for website programmers, it can possibly be exploited and then be used to run random JavaScript code on the user’s machine without the user can check the JavaScript code. Software running on the computer to protect the user (like Norton, McAfee,…) that checks the JavaScript code to be not harmful will not work because the original JavaScript source code will not be visible and even reloading the page, printing or saving the page will not give the original JavaScript and cannot be checked. In this manner it is maybe possible to use all the known IE security flaws to exploit again with this bug. This bug can possibly also be exploited to hide information for the user. In this manner it can be used to mislead search engines. The website programmer can add as much information, keywords,… to his page and give it a lay-out in a way that search engines like Google think it are important keywords of the website, without the user can view the keywords but will see other information. I have already published the exploit, but without any extra information or a real example.
If your browser is vulnerable for this IE bug, then you will only see “The time is now xxx”, where xxx is the date and time. You will not see the “Something before the JavaScript” and also not the “and something after the JavaScript”. If you want to see that the source code of the page really is the exact code published on this page, you can open the internet page with a browser that is not vulnerable, like Netscape, Firefox,... or open it with another program, like Notepad, Macromedia Dreamweaver, Microsoft Frontpage,... I give this simple JavaScript exploit so you can understand this exploit. One can use it with other JavaScript code before or even after this given exploit that is also executed on the user his computer, and where also the source code will disappear as a “ghost”. This new bug in IE6 is bad news for Microsoft that is already heavily under fire because his poor security, but is also bad news for the search engines and for the users where the bug can be exploited, at this moment every IE6 user, and possibly all the previous versions of IE. Who is vulnerable? Vulnerable browsers: Internet Explorer 6, SP2 (on a Windows XP machine) and probably all the previous versions. Solution? Turn JavaScript off in Internet Explorer until Microsoft releases a Security Patch/Security update. Notice This security hole is published so everyone knows the exploit and Microsoft can solve the problem as quickly as possible. A know security flaw is less dangerous than an
unknown
security hole that can be used by real hackers, swindlers or racketeers. Best regards, About the author |