Internet Explorer Allows Access to Local File System

 

Reported August 9, 2000 by Juan Carlos Garcia Cuartango

VERSIONS EFFECTED

DESCRIPTION

The ActiveX rendering control that invokes scripts is vulnerable to attack by a malicious script designed to inject code into a known IE system. Once injected, the rendering control could be used to activate the code under the security context of the Local Computer Zone where it could then gain access to local files.

A particular function within IE does not properly protect against the interaction of two browser frames when those frames are in different domains, including the user's local file system. The lack of protection allows for one frame to pass inform to another where the data passed could be read from the user's local file system and subsequently transmitted offsite.

VENDOR RESPONSE

Microsoft issued FAQ #FQ00-055, Support Online article Q266336, as well as patches for IE 4.x and 5.x.

Microsoft's bulletin states,

"Note: In addition to eliminating the two vulnerabilities discussed above, this patch also protects against several previously-discussed vulnerabilities. Customers who apply this patch will also be protected against the vulnerabilities discussed in the following Security Bulletins:
- Microsoft Security Bulletin MS00-033
- Microsoft Security Bulletin MS00-039
- Microsoft Security Bulletin MS00-049
In addition, for IE 5.5 systems only, this patch also eliminates the vulnerability discussed in Microsoft Security Bulletin MS00-042.

Note: Customers who install this patch on versions other than IE 5.01, IE 5.01 SP1, or IE 5.5 may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q266336.

In addition, the bulletin lists the following references for addition information:

CREDIT
Discovered by Juan Carlos Garcia Cuartango