COMMAND

    Javascript bug in Internet Explorer

SYSTEMS AFFECTED

    MS Internet Explorer 4.0, 4.1, 5.0

PROBLEM

    Georgi Guninski found following.   There is a Javascript  security
    bug  in  Internet  Explorer  4.01  (patched),  which   circumvents
    "Cross-frame  security"  and  opens  several  security holes.  The
    problem is: if you add '%01someURL' after the URL, IE thinks  that
    the document is loaded from the domain of 'someURL'. Very strange?
    Some of the bugs are following.

    1) IE allows reading local files and sending them to an arbitrary server
    ========================================================================
    The filename must be known.   The bug may be exploited using  HTML
    mail message.  Demo is available at:

        http://www.geocities.com/ResearchTriangle/1711/read3.html

    This works on IE 4.0 also.  The javascript code is:

         alert('Create a short file C:\\test.txt and its contents will be shown in a dialog box.')
         b=showModalDialog("about:<SCRIPT>a=window.open('file://c:/test.txt');s='Here is your file:
         \\n\\n'+a.document.body.innerText;alert(s);a.close();close()</"+"SCRIPT>%01file://c:/");

    2) IE allows "window spoofing"
    ==============================
    After  visiting  a  hostile  page  (or  clicking a hostile link) a
    window is opened and its location is a trusted site.  However, the
    content of the window is not that of the original site, but it  is
    supplied by the owner of the page.   So, the user is misled he  is
    browising a trusted site, while he is browsing a hostile page  and
    may provide  sensitive information,  such as  credit card  number.
    The  bug  may  be  exploited  using  HTML  mail  message.  Demo is
    available at:

        http://www.geocities.com/ResearchTriangle/1711/read4.html

    The  new   Microsoft  Internet   Explorer  5   (checked   Version:
    5.00.0910.1309) still allows Frame  Spoofing and reading of  local
    Files as described by Georgi Guninski.  Another new feature  named
    "AutoComplete"  stores  entries  (which  also  may  be passwords).
    Just another new source for passwords which had not been saved  in
    IE 4.x.

SOLUTION

    Disable Javascript or use 5.00.2014.0216IC build.   5.00.0910.1309
    was Beta 2.