Microsoft confirms new vulnerability in Internet Explorer
Microsoft has confirmed the existence of a security vulnerability revealed at the Black Hat DC security conference on Tuesday and itself issued a warning. The vulnerability allows a crafted website to access and read the content of arbitrary files on a PC. Although an attacker needs to know the specific path and file name, for a standard Windows installation these are usually known default paths.
All versions of Internet Explorer from 5.01 to 8 on all supported Windows platforms are reportedly affected. Windows XP Home users, however, appear to be unaffected by the problem, as XP Home does not include a hidden C$ administrative share for websites to access. For Internet Explorer 7 and 8 running under Windows 7, Vista or Server 2003/2008, the vulnerability cannot be exploited as long as protected mode is activated in the browser (as it is by default).
Core Security reported two similar cross-domain vulnerabilities to Microsoft in 2008 and 2009, for which Microsoft released updates. However, until now, Microsoft has always merely patched things up, without addressing the actual core problem. As a result Medina has been able to discover a new means of reading local files. To overcome the hurdles set up by Microsoft, he takes advantage of a bug in the way the MIME type of local files is determined and a weakness when processing OBJECT tags.
As an interim solution, Microsoft has released a downloadable fix-it tool which disables the Internet Explorer file protocol. This could, however, cause problems for some other applications.
- Vulnerability in Internet Explorer Could Allow Information Disclosure, security advisory from Microsoft
- Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities, advisory from Core Security.
- Internet Explorer still a problem child, a report from The H.