Highly critical security bug was discovered in Internet Explorer. One can create a web page which after loading in IE causes corruption of the registry with IE Entries and according to our tests also its crash.
Highly critical security bug in Internet Explorer was discovered by Emmanouel Kellinis and published in his page yesterday.
Problem is in processing a 'file://' URL as a first value of a JavaScript action 'window.location'. Instead of a valid drive name it´s possible to pass an arbitary drive name using hexadecimal values (e.g. xff:filename). After loading the webpage with this code, 3 registers ECX EDX EDI are overwritten which will cause corruption of the registry with IE Entries and according to our tests also IE´s crash.
According to discovever, the result is that "the assocation of html/htm pages with Internet Explorer do not work and every shortcut of IE is not loading. Instead there is an error popup saying: You cant access this file,path,drive. Permission Denied. Noted that you dont have access to the temp directory as well. MSN Messenger is effected by the Memory Access Violation and it is crashing immediatelly after you login (sometimes the problem is fixed after restarting)."
Javascript action window.location can be used for example with a onLoad event which can be used also inside HTML tags. That´s why author warns there is possibility that some firewalls won´t detect onLoad as Javascript .
Solutions: Disable Javascript in Internet Explorer. Expert users can configure their firewalls to blocking sites which contains "file://" string in Javascript in their code.
View: Original advisory
Problem is in processing a 'file://' URL as a first value of a JavaScript action 'window.location'. Instead of a valid drive name it´s possible to pass an arbitary drive name using hexadecimal values (e.g. xff:filename). After loading the webpage with this code, 3 registers ECX EDX EDI are overwritten which will cause corruption of the registry with IE Entries and according to our tests also IE´s crash.
According to discovever, the result is that "the assocation of html/htm pages with Internet Explorer do not work and every shortcut of IE is not loading. Instead there is an error popup saying: You cant access this file,path,drive. Permission Denied. Noted that you dont have access to the temp directory as well. MSN Messenger is effected by the Memory Access Violation and it is crashing immediatelly after you login (sometimes the problem is fixed after restarting)."
Javascript action window.location can be used for example with a onLoad event which can be used also inside HTML tags. That´s why author warns there is possibility that some firewalls won´t detect onLoad as Javascript .
Solutions: Disable Javascript in Internet Explorer. Expert users can configure their firewalls to blocking sites which contains "file://" string in Javascript in their code.
View: Original advisory