-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This also affects IE 7 Beta 2. Did you shoot this over to Microsoft? k.huwig@xxxxxxxxx wrote: > _______________________________________________________________________ > > > iKu Advisory > > _______________________________________________________________________ > > > Product : Microsoft InternetExplorer 6 > > : various filter applications > > Date : June 20th 2006 > > Affected versions : all > > Vulnerability Type : bypassing security filters > > Severity (1-10) : 10 > > Remote : yes > > _______________________________________________________________________ > > > 0. contents > > > 1. problem description > > 2. affected software > > 3. bug description/possible fix > > 4. sample code > > 5. workaround > > > > 1. problem description > > > The character set ASCII encodes every character with 7 bits. Internet > > connections transmit octets with 8 bits. If the content of such a > > transmission is encoded in ASCII, the most significant bit must be ignored. > > > Of the tested browsers Firefox 1.5, Opera 8.5 and InternetExplorer 6, > > only the InternetExplorer does this correctly, the others evaluate the > > bit and display the characters as if they were from the character set > > ISO-8859-1. Although the behaviour of the InternetExplorer is the > > correct one, this creates a security risk: the author of a web page can > > set the bit on arbitraty characters without changing the look of the > > page. But virus scanners and content filters see completely different > > characters, so that there programs cannot detect viruses or spam. > > > This offers spammers and virus writers the possibility to bypass > > installed spam and virus filters. > > > > 2. affected software > > > Only the InternetExplorer displays ASCII encoded web pages as 7 bit. We > > checked several hardware router and antivirus solutions, all of which > > failed to detect malicious JavaScript in manipulated web pages. > > > > 3. bug description/possible fix > > > It should be quite easy to close this hole within filter/scan > > applications by clearing the most significant bit on ASCII encoded web > > pages before analysing them. > > > > 4. sample page > > > At > > > http://www.iku-ag.de/ASCII > > > you can find a test page that displays a secret message. IE6 displays > > the text correctly, Firefox 1.5 and Opera 8.5 display glibberish text. > > This page only shows that IE6 displays ASCII-text correctly and does not > > contain any content that a filter should sort out. > > > Updated information can be found at > > > http://www.iku-ag.de/sicherheit/ascii-eng.jsp > > > > 5. workaround > > > There is no workaround know to us. > > -- > > Kurt Huwig iKu Systemhaus AG http://www.iku-ag.de/ Vorstand Am Römerkastell 4 Telefon 0681/96751-0 66121 Saarbrücken Telefax 0681/96751-66 GnuPG 1024D/99DD9468 64B1 0C5B 82BC E16E 8940 EB6D 4C32 F908 99DD 9468 > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRJmo5wt0Y4479LtgAQJ6/gf9HiQlg8HcteEKECisR3x0sWH0hptcr9De aaaQMJkTvnlwtTKTnrIe7TdZaeAKPNnsh6VMyS5zaOPqnwFfjKjmRK21Ml6m0wLB fKR8XQM+xO9hdNSO7wvjFJC8/NuDhts3M6hKiUHcOqOEEmWH+jll1OchiDTG3AB3 9vAIH1WuYH101gOwt9RSYD3kjujQjro+RQWj5eez42MZEn7k/Fl69XtaVbjMb16M Ud99mpk45JKUWUOuSXXT5VEQJI95M+9Oe7IZmchI89hCDtD6Q38tBGo8nrBweld8 /WFdI5v1YStONnJS1mB1zeGmn1nyXiRRN+2KDaNYc0rld6v1He6SpA== =fAiX -----END PGP SIGNATURE-----
