In association with heise online

04 February 2010, 13:25

Microsoft confirms new vulnerability in Internet Explorer

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

IE Logo Microsoft has confirmed the existence of a security vulnerability revealed at the Black Hat DC security conference on Tuesday and itself issued a warning. The vulnerability allows a crafted website to access and read the content of arbitrary files on a PC. Although an attacker needs to know the specific path and file name, for a standard Windows installation these are usually known default paths.

All versions of Internet Explorer from 5.01 to 8 on all supported Windows platforms are reportedly affected. Windows XP Home users, however, appear to be unaffected by the problem, as XP Home does not include a hidden C$ administrative share for websites to access. For Internet Explorer 7 and 8 running under Windows 7, Vista or Server 2003/2008, the vulnerability cannot be exploited as long as protected mode is activated in the browser (as it is by default).

Microsoft has said that it is looking into how it can solve the problem. However, solving it is not going to be straightforward, as Jorge Luis Alvarez Medina of Core Security Technologies, who discovered the vulnerability, has repeatedly stressed. The crux of the problem is that security zone settings in Internet Explorer do not always bite if a path is entered in the browser in UNC (Uniform Naming Convention) format (e.g. file://$/.../index.dat). This means that under specific conditions JavaScript from the Internet Zone can access (and render) local files, despite the zone model being intended to prevent this.

Core Security reported two similar cross-domain vulnerabilities to Microsoft in 2008 and 2009, for which Microsoft released updates. However, until now, Microsoft has always merely patched things up, without addressing the actual core problem. As a result Medina has been able to discover a new means of reading local files. To overcome the hurdles set up by Microsoft, he takes advantage of a bug in the way the MIME type of local files is determined and a weakness when processing OBJECT tags.

As an interim solution, Microsoft has released a downloadable fix-it tool which disables the Internet Explorer file protocol. This could, however, cause problems for some other applications.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit