The following paper is collected at Umbrella.MX.TC
___________________________

Shannon expressed:the more you know about a system, the less uncertainty it is for you.
I wonder how could he explain the following fact:
Before studying vulnerabilities in MSIE, MSIE was not amazing at all.
After learning vulnerabilities in MSIE, MSIE kept giving me surprise.


MSIE Security Vuln

LiuDieYu liudieyuinchina@yahoo.com.cn , liudieyuinchina@vip.sina.com.cn

Internet Explorer is an unclear system.
My goal is to make it produce some special results.

Methodology: Divide and Conquer:

This is an old topic - a task can be divided into small tasks.
Something like Attack Tree:
http://www.counterpane.com/attacktrees-ddj-ft.html

and I got some ideas about this old methodology here:
http://www.safecenter.net/crosszone/ie/Dir-IEDir.htm

Dealing with Unclear System:
The system is unclear(beyond my capacity to fully understand it), and I control its input, my job is: make it produce some special output. How can I achive the goal?

This system consists of many sub processes. I don't fully understand how they work. But:
[1]I understand some processes in the system.
[2]I can control those processes by controling input.

Methodology:Modeling to reach [1]
Modal logic: http://plato.stanford.edu/entries/logic-modal/

Methodology: Add needles to the input to reach [2]
Model theory: http://plato.stanford.edu/entries/model-theory/

X stands for a proccess. Xa<Xb means: Xa is a sub-process of Xb.
S stands for a sentence. V stands for an input. W stands for an output.
V<Mod(S) means V satisfies S.  ! means NOT

Assume: Xp is an unclear process handling input V, and it yields W.
If such Xn exists:
V<Mod(S)-->Xn<Xp
AND
V !< Mod(S)-->Xn !<Xp
Then S is a needle. Give needle a special letter n.

Example: n = The protocol section of a Url is FTP. Xp = Load Url in the browser. Xn = Get content via FTP protocol.

Application:
I focus my mind on Methodology: Add needles to the input to reach [2]

App.1: 2FforMSIE: http://umbrella.mx.tc/ --> 2FforMSIE section

N = Url contains percentage-encoded char(s). Xp = Caculate domain. Xn = decode %-encoded char(s).
The chanllenge is How to add needle(s) into input.

App.2: "Request flood"http://www.securityfocus.com/archive/1/320981
N =The number of windows reaches the limit. Xp =popup download prompt. Xn = dialog fails to pop up.
The chanllenge is get n and Xn .

Please note one n may have many corrosponding Xn's.