Microsoft confirms new vulnerability in Internet Explorer
Microsoft has confirmed the existence of a security vulnerability revealed at the Black Hat DC security conference on Tuesday and itself issued a warning. The vulnerability allows a crafted website to access and read the content of arbitrary files on a PC. Although an attacker needs to know the specific path and file name, for a standard Windows installation these are usually known default paths.
All versions of Internet Explorer from 5.01 to 8 on all supported Windows platforms are reportedly affected. Windows XP Home users, however, appear to be unaffected by the problem, as XP Home does not include a hidden C$ administrative share for websites to access. For Internet Explorer 7 and 8 running under Windows 7, Vista or Server 2003/2008, the vulnerability cannot be exploited as long as protected mode is activated in the browser (as it is by default).
Microsoft has said that it is looking into how it can solve the problem. However, solving it is not going to be straightforward, as Jorge Luis Alvarez Medina of Core Security Technologies, who discovered the vulnerability, has repeatedly stressed. The crux of the problem is that security zone settings in Internet Explorer do not always bite if a path is entered in the browser in UNC (Uniform Naming Convention) format (e.g. file://127.0.0.1/C$/.../index.dat). This means that under specific conditions JavaScript from the Internet Zone can access (and render) local files, despite the zone model being intended to prevent this.
Core Security reported two similar cross-domain vulnerabilities to Microsoft in 2008 and 2009, for which Microsoft released updates. However, until now, Microsoft has always merely patched things up, without addressing the actual core problem. As a result Medina has been able to discover a new means of reading local files. To overcome the hurdles set up by Microsoft, he takes advantage of a bug in the way the MIME type of local files is determined and a weakness when processing OBJECT tags.
As an interim solution, Microsoft has released a downloadable fix-it tool which disables the Internet Explorer file protocol. This could, however, cause problems for some other applications.
See also:
- Vulnerability in Internet Explorer Could Allow Information Disclosure, security advisory from Microsoft
- Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities, advisory from Core Security.
- Internet Explorer still a problem child, a report from The H.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
