Reported March 6, 2001, by Microsoft.
VERSIONS AFFECTED
-
Microsoft Internet Explorer 5.01
-
Microsoft Internet Explorer 5.5
-
Microsoft Windows Scripting Host 5.01
-
Microsoft Windows Scripting Host 5.5
DESCRIPTION
Internet Explorer (IE) provides a caching mechanism to store content that a user downloads and processes on the user's local machine. The caching mechanism is also used to obscure the physical location of the cached content so that Web page or HTML email works through IE’s security architecture to access this information. This ensures that the system can properly restrict information usage.
A vulnerability exists that lets a Web page or HTML email reveal the physical location of this cached content. By using this information, an attacker can cause the cached content to open in the Local Computer Zone of IE and launch compiled HTML Help (.chm) files containing shortcuts to executables. The attacker can them run those executables.
VENDOR RESPONSE
Microsoft has issued security bulletin MS01-015 to address this vulnerability.
CREDIT
Discovered by
Microsoft.