Information Disclosure Vulnerability in Microsoft Internet Explorer

Reported February 21, 2002, by Microsoft.

VERSIONS AFFECTED

• Microsoft Internet Explorer (IE) 6.0, 5.5, and 5.01

DESCRIPTION

A vulnerability exists in IE that can lead to information disclosure. This problem stems from the way IE handles VBScript when validating cross-domain access, letting one domain's scripts access another domain's contents within a frame. An attacker can use scripts to exploit the vulnerability by extracting other domains' frame contents to send to the attacker's Web site. The attacker can view files located on the user's local machine or capture the contents of third-party Web sites the user visited after leaving the attacker's site. The vulnerability lets an intruder learn personal information about the user, such as usernames, passwords, or credit card information.

VENDOR RESPONSE

The vendor, Microsoft, has released Security Bulletin MS02-009, which addresses this vulnerability, and recommends that affected users apply the appropriate patch listed at Microsoft's Download Center or at the Windows Update Web site.

CREDIT
Discovered by Zentai Peter Aron of Ivy Hungary Ltd