Wednesday, November 30, 2005 

About the body Onload Internet Explorer Vunerability

There has been some unfair criticism of the people who released the exploit code for the Internet explorer body onload Javascript vunerability. People should read the actual history of this issue.

This vulnerability was originally disclosed publicly around the end of May.
http://marc.theaimsgroup.com/?l=bugtraq&m=111746394106172&w=2 . The vendor did not even acknowledge the publicly acknowledge the presence of the flaw. Nor did they provide any timetables for a fix. Six months later after the vulnerability was publicly disclosed and the vendor failed to acknowledge it, security researchers published exploit code. Their exploit code, incidentally, launches the calculator application. Modifying to do something useful, like bind a shell to a port, for example, was not something a script kiddie could do (but I did, but not without some assembly language).

When a security researcher discovers a vulnerability, they should contact the vendor, and ask them to fix it, and release the details of the vulnerability to the public. It is up to the person who discovers the vulnerability how long they want to wait between initial reporting of a vulnerability and publishing exploit code. Generally, most people want the vendor to have a chance to fix the problem.

However, sometimes, vendors refuse to acknowledge the existence of security vulnerabilities in their products, even when they have been reported. In that case, it is the ethical responsibility of the security researcher to publish proof-of-concept exploit code in order to demonstrate to the vendor the seriousness of the issue. By doing so, the importance of the issue is made clear to the customers of the product, and the vendor is then forced to fix the vulnerability.

When a security vulnerability has been publicly disclosed that has the potential to compromise millions of peoples computers, and the vendor refuses to even acknowledge its existence, nonetheless give a timetable for a fix, there is no reason to delay publishing exploit code. The Chinese, the Russian Mafia, and/or the black hats of the world had probably written their own exploit code by now. Just because the vendor says that no one has actually been exploited using this vulnerability doesn't mean anything. Keep in mind that until a few days ago, the whole world knew about this, and they didn't even acknowledge that it was a problem.

http://www.computerterrorism.com/research/ie/ct21-11-2005


"The original DoS vulnerability was brought to the public's attention on the 31/05/2005 by Benjamin Tobias Franz. To date, the vendor has failed to publicly acknowledge the presence of the flaw, or provide any timescales for an appropriate fix. Accordingly, as of the date of this document, this vulnerability remains UNPATCHED, affecting all users of Microsoft Internet Explorer version 5.5 and 6.x respectively."
________

Interestingly enough, I haven't found this mentioned anywhere, but you can also cause IE to crash using other events besides onLoad. You can also get it to crash using onUnload, onMouseMove etc. I have not really tried to write exploits using these varients though. If Microsoft comes out with a patch, it would presumably fix all of these, I would hope...