Reported
February 21, 2002, by Microsoft.
VERSIONS
AFFECTED
Microsoft
Internet Explorer (IE) 6.0, 5.5, and 5.01
DESCRIPTION
A
vulnerability exists in IE that can lead to information disclosure. This problem
stems from the way IE handles VBScript when validating cross-domain access,
letting one domain's scripts access another domain's contents within a frame. An
attacker can use scripts to exploit the vulnerability by extracting other
domains' frame contents to send to the attacker's Web site. The attacker can
view files located on the user's local machine or capture the contents of
third-party Web sites the user visited after leaving the attacker's site. The
vulnerability lets an intruder learn personal information about the user, such
as usernames, passwords, or credit card information.
VENDOR
RESPONSE
The
vendor, Microsoft, has released Security
Bulletin MS02-009,
which addresses this vulnerability, and recommends that affected users apply the
appropriate patch listed at Microsoft's Download Center or at the Windows
Update Web site.
CREDIT
Discovered
by Zentai
Peter Aron of Ivy Hungary Ltd
Information Disclosure Vulnerability in Microsoft Internet Explorer
0 comments
Hide comments