Javascript bug IE 6

Error reported to Microsoft on Jun 07 2005 and again on Jun 08 2005, error reported to Opera on Jun 08 2005
Informed Google, MSN, Yahoo/AltaVista, Ilse, Lycos, Excite, Webcrawler on Jun 08 2005
Informed Norton, McAfee on Jun 08 2005

Summary:
Exploit for all Microsoft Internet Explorer users Can be abused by hackers to run harmful JavaScript code and can be abused to mislead existing protection against harmful JavaScript code, like software from Norton, McAfee,… Can be abused to mislead the search engines Google, MSN, Yahoo, AltaVista,… Unpleasant for JavaScript programmers The “JavaScript Ghost bug”
I, Pascal Vyncke, have found a bug in Internet Explorer 6, in the processing of JavaScript in Internet Explorer 6. Probable are previous versions of Internet Explorer 6 SP2 also vulnerable for this security flaw. The bug is reported to Microsoft on the 7th and on the 8th of June 2005 and I publish this error also on the Internet so that everyone knows the bug exists and Microsoft is pushed to find a solution for it.
The bug in IE6, I call it the “JavaScript Ghost bug” makes it possible to run a JavaScript on the computer of the surfer, but the source code of the JavaScript cannot be seen by the surfer and is also “forgotten” by IE6. Normally is the code of an HTML page and all the JavaScript code always visible to the user if he asks the source code of the internet page (in IE: View > Source). Also, all the HTML code and other things like images are hided with this bug. The exploit for the bug is only 133 bytes long.

The JavaScript IE 6 exploit:


function init() {
document.write("The time is: " + Date() );
}
window.onload = init;


This bug can give totally unexpected results to a (inexperienced) JavaScript programmer because only some output is given to the user (the output of the JavaScript), but all the other HTML used on the page will disappear (like a ghost). The new generated source code by the JavaScript is also the only source code that IE6 will see. Reloading the page by hitting F5, the Refresh-button or Ctrl-F5 will not help. The JavaScript code is NOT loaded again and the exactly the same output is given, like it is just a normal HTML page with only that output on, and not the JavaScript on or the other HTML code. This is especially simple to see if we output the date/time. We get only the date/time outputted, but reloading the page gives us every time again the same date/time. Only closing IE6 and restarting IE6 and opening the page again will give an update.

This bug is not only a bug and can be unpleasant for website programmers, it can possibly be exploited and then be used to run random JavaScript code on the user’s machine without the user can check the JavaScript code. Software running on the computer to protect the user (like Norton, McAfee,…) that checks the JavaScript code to be not harmful will not work because the original JavaScript source code will not be visible and even reloading the page, printing or saving the page will not give the original JavaScript and cannot be checked. In this manner it is maybe possible to use all the known IE security flaws to exploit again with this bug.

This bug can possibly also be exploited to hide information for the user. In this manner it can be used to mislead search engines. The website programmer can add as much information, keywords,… to his page and give it a lay-out in a way that search engines like Google think it are important keywords of the website, without the user can view the keywords but will see other information. For example: the website maker can add keywords that are searched a lot like “weather, maps, dictionary, Amazon, hotels, Madonna, Pamela Anderson, Brad Pitt,…” (to be silent about harder keywords regard erotic, XXX, drugs, political slogans,…). The search engine like Google will see the keywords and rank the page higher, the users clicks on the site but will see a totally different page. The bug can also be exploited to be used to hide information “by accident” like contract information, the “sm