Cenzic 232 Patent
Paid Advertising
web application security lab

Variable Width Encoding Now Safe for US-ASCII and UTF-8 In IE7.0

Yup, it’s true, the first of my tests are coming back relatively positive for the newest release candidate for Microsoft’s Internet Explorer. IE7.0 RC1 has fixed a number of variable width encoding issues. Previously in IE6.0 both US-ASCII and UTF-8 encoding methods had variable width encoding issues in them, however, as of my tests today, both are now safe. It definitely closes down one of the most obscure attack vectors out there for two encoding methods, but never fear there are still more out there.

The encoding methods that have not been fixed so far (that I can tell using my fuzzer) are BIG5, EUC-JP, EUC-KR, GB2312 and SHIFT_JIS. Of course this is not necessarily a complete list, but it’s the best we’ve got so far with the research I’ve put in (non-security related day job getting in the way of good security research and development again).

Also, I should point out that IE7.0 did not fix the US-ASCII encoding issues that Kurt Hewig found. So it was definitely a good start for IE7.0 but it didn’t finish strong for the variable width encoding cross site scripting vectors. I could imagine that while discussing this the development folks probably figured that if someone were programming for those language sets they should know about this and take it into account on the server side. But I haven’t lost hope yet, there are still lots of vectors left to test.

Comments are closed.