SeniorenNet > SeniorenNet Research Department > Techresearch > Javascript bug IE 6

WARNING: Javascript bug IE 6

Error reported to Microsoft on Jun 07 2005 and again on Jun 08 2005, error reported to Opera on Jun 08 2005
Informed Google, MSN, Yahoo/AltaVista, Ilse, Lycos, Excite, Webcrawler on Jun 08 2005
Informed Norton, McAfee on Jun 08 2005

DUTCH VERSION / NEDERLANDSTALIGE VERSIE, KLIK HIER

Summary:

  • Exploit for all Microsoft Internet Explorer users
  • Can be abused by hackers to run harmful JavaScript code and can be abused to mislead existing protection against harmful JavaScript code, like software from Norton, McAfee,…
  • Can be abused to mislead the search engines Google, MSN, Yahoo, AltaVista,…
  • Unpleasant for JavaScript programmers

The “JavaScript Ghost bug”

I, Pascal Vyncke, have found a bug in Internet Explorer 6, in the processing of JavaScript in Internet Explorer 6. Probable are previous versions of Internet Explorer 6 SP2 also vulnerable for this security flaw.
The bug is reported to Microsoft on the 7th and on the 8th of June 2005 and I publish this error also on the Internet so that everyone knows the bug exists and Microsoft is pushed to find a solution for it.

The bug in IE6, I call it the “JavaScript Ghost bug” makes it possible to run a JavaScript on the computer of the surfer, but the source code of the JavaScript cannot be seen by the surfer and is also “forgotten” by IE6.
Normally is the code of an HTML page and all the JavaScript code always visible to the user if he asks the source code of the internet page (in IE: View > Source). Also, all the HTML code and other things like images are hided with this bug.
The exploit for the bug is only 133 bytes long.

The JavaScript IE 6 exploit:

<script type="text/jscript">
function init() {
document.write("The time is: " + Date() );

}
window.onload = init;
</script>

This bug can give totally unexpected results to a (inexperienced) JavaScript programmer because only some output is given to the user (the output of the JavaScript), but all the other HTML used on the page will disappear (like a ghost).
The new generated source code by the JavaScript is also the only source code that IE6 will see. Reloading the page by hitting F5, the Refresh-button or Ctrl-F5 will not help. The JavaScript code is NOT loaded again and the exactly the same output is given, like it is just a normal HTML page with only that output on, and not the JavaScript on or the other HTML code.
This is especially simple to see if we output the date/time. We get only the date/time outputted, but reloading the page gives us every time again the same date/time. Only closing IE6 and restarting IE6 and opening the page again will give an update.

This bug is not only a bug and can be unpleasant for website programmers, it can possibly be exploited and then be used to run random JavaScript code on the user’s machine without the user can check the JavaScript code. Software running on the computer to protect the user (like Norton, McAfee,…) that checks the JavaScript code to be not harmful will not work because the original JavaScript source code will not be visible and even reloading the page, printing or saving the page will not give the original JavaScript and cannot be checked. In this manner it is maybe possible to use all the known IE security flaws to exploit again with this bug.

This bug can possibly also be exploited to hide information for the user. In this manner it can be used to mislead search engines. The website programmer can add as much information, keywords,… to his page and give it a lay-out in a way that search engines like Google think it are important keywords of the website, without the user can view the keywords but will see other information.
For example: the website maker can add keywords that are searched a lot like “weather, maps, dictionary, Amazon, hotels, Madonna, Pamela Anderson, Brad Pitt,…” (to be silent about harder keywords regard erotic, XXX, drugs, political slogans,…).
The search engine like Google will see the keywords and rank the page higher, the users clicks on the site but will see a totally different page.
The bug can also be exploited to be used to hide information “by accident” like contract information, the “small letters”,… for the user.

I have already published the exploit, but without any extra information or a real example.
Here is the source code of the page that is the demo of the exploit:

<h1>Something <i>before</i></h1>
<br> the <b>JavaScript</b>... Blablalbla

<script type="text/jscript">
function init() {
document.write("The time is now: " + Date() );

}
window.onload = init;
</script>

And <u>something</u> after the <b>JavaScript</b>... Blablablablabla

Click here to see the demo of the exploit for the JavaScript Ghost bug.
Attention: only Internet Explorer users have this bug. Firefox, Opera, Netscape,… are not vulnerable. Click on the link at your own risk.

If your browser is vulnerable for this IE bug, then you will only see “The time is now xxx”, where xxx is the date and time. You will not see the “Something before the JavaScript” and also not the “and something after the JavaScript”.
Look at the source code (View > Source). You also will only see “The time is now xxx”, and you don’t see any JavaScript code.
Just hit the Refresh button, press the F5-button on your keyboard or press Ctrl+F5. The time will stay exactly the same, and will not be reloaded. This is to see that even IE6 itself has “forgot” the JavaScript code and only see the generated HTML code of the JavaScript, but not the JavaScript itself.
Just close your Internet Explorer 6 and restart it and surf to the same URL. The exploit will give you again the time, now updated, but you will not see again anything more.

If you want to see that the source code of the page really is the exact code published on this page, you can open the internet page with a browser that is not vulnerable, like Netscape, Firefox,... or open it with another program, like Notepad, Macromedia Dreamweaver, Microsoft Frontpage,...

I give this simple JavaScript exploit so you can understand this exploit. One can use it with other JavaScript code before or even after this given exploit that is also executed on the user his computer, and where also the source code will disappear as a “ghost”.

This new bug in IE6 is bad news for Microsoft that is already heavily under fire because his poor security, but is also bad news for the search engines and for the users where the bug can be exploited, at this moment every IE6 user, and possibly all the previous versions of IE.

Who is vulnerable?

Vulnerable browsers: Internet Explorer 6, SP2 (on a Windows XP machine) and probably all the previous versions.
UPDATE: Opera 7.54 running XP SP2 and Opera 8 have the bug, but are not vulnerable for the security leak.
NOT vulnerable browsers for this bug: Firefox, Netscape

Solution?

Turn JavaScript off in Internet Explorer until Microsoft releases a Security Patch/Security update.

Notice

This security hole is published so everyone knows the exploit and Microsoft can solve the problem as quickly as possible. A know security flaw is less dangerous than an unknown security hole that can be used by real hackers, swindlers or racketeers.
Do NOT use this security hole to harm innocent users.
I personally NEVER used this bug or exploit for any reason to harm in any way an innocent user. I only discovered the bug, exploit and publish it so it can be solved.

Best regards,
Pascal Vyncke

About the author
Pascal Vyncke, 20 years old, webmaster, author/writer, Informatics student at the University of Antwerp, living in Antwerp, Belgium (Europe).