Microsoft IE XHTML Formatted Comment User Confirmation Bypass
Remote / Network Access
Loss of Integrity
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Disclosure of this issue is credited to Cyrille SZYMANSKI.
Microsoft Internet Explorer 6.0 SP2 - do not use
Reportedly, Microsoft Internet Explorer is affected by a vulnerability that allows users to bypass security confirmation. This issue is due to a design error that allows malicious users to trivially bypass the requirement for user confirmation.
No exploit is required to leverage this issue. Reportedly, a comment of the following form when placed between the '<!DOCTYPE>' and '<HTML>' tags will trigger this issue:
<!-- saved from usr=(XXXX)URL -->
where 'URL' is a URL string such as 'http://www.example.com' and 'XXXX' is a four-digit number that corresponds to the number of characters in the URL string.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: firstname.lastname@example.org:email@example.com.