Is there substance to the IE 'ghost bug'?
Pascal Vyncke, a 20-year-old computer science student in Antwerp, Belgium, this week published details on what he believes is a vulnerability in Internet Explorer 6. However, Microsoft says what Vyncke found is not a bug, but a browser feature. A security expert, who has been critical of Microsoft in the past, this time agrees with the software maker.
Vyncke has christened his discovery the "JavaScript Ghost bug." The bug makes it possible to build a Web page that includes a JavaScript, but shows only the result of the script and not the rest of the page to the Web user. Also, the actual source code of the page is hidden, meaning that it doesn't display when selecting "view" and "source" in IE.
Perhaps, Vyncke wrote in an e-mail, the technique he found can let an attacker run a malicious JavaScript on a victim's PC without the user's knowledge and without allowing the user to see what is running.
Microsoft in a response said that not displaying script code when a user attempts to view the source of the page is not a vulnerability. "Instead, this is a standard feature of most browsers including Internet Explorer," a company representative said in an e-mail.
Thor Larholm, a senior security researcher with
"I hate to agree with Microsoft too often, but they are absolutely right with this claimed bug. This is not a vulnerability, this is a by-design feature that has existed since Netscape 2. There is no command execution, no theft of information, no cookie stealing, no URL obfuscation and no escalation of privileges," he wrote in an e-mail.
JavaScript can create a new HTML document to be rendered in the browser and Vyncke is using those features, Larholm said.
Vyncke is correct in stating that his technique could be used to trick search engines, Larholm said. Text on the initial page that site visitors won't see because the script sends them to a second page would still be picked up by search engine crawlers, he said.
Meanwhile, Vyncke in an later e-mail said that he doesn't have time to figure out if what he found is really a flaw that could be exploited to harm users. He's busy at school, finals last until July 1, he wrote.
