COMMAND

	MSIE "SaveRef" turns Zone off

SYSTEMS AFFECTED

	Tested on MSIEv6, others ?

PROBLEM

	Liu Die Yu [liudieyuinchina@yahoo.com.cn] says :
	

	MSIE: you can execute jscript in any zone by  saving  the  reference  of
	"(NewWindow).location.assign". (content after  the  "[exp]"  section  is
	not directly related to the flaw, so skip it if you are in a  hurry;)
	

	[tested]
	

	MSIEv6(CN version)

	{IEXPLORE.EXE file version: 6.0.2600.0000}

	{MSHTML.DLL file version: 6.00.2600.0000} 

	Win98

	

	

	[demo] at
	

	http://www16.brinkster.com/liudieyu/SaveRef/SaveRef-MyPage.htm

	

	or
	

	clik.to/liudieyu ==> SaveRef-MyPage section.

	

	

	[exp]  javascript-protocol  URL  can  cause  CSS  at  client  side,   so
	microsoft  blocked  "(NewWindow).location.assign"  method(there  is   no
	other explanation at all). but we  can  save  the  reference(mostly  the
	same as 'pointer' in C) of  "(NewWindow).location.assign"  when  we  can
	access it, then we can access it forever --  regardless  of  NewWindow's
	zone, which means we can execute jscript in any zone.
	

	simple, that's all.

SOLUTION

	?