Reported August 9, 2000 by Juan Carlos Garcia Cuartango
- Microsoft Internet Explorer 4.x
- Microsoft Internet Explorer 5.x
T he ActiveX rendering control that invokes scripts is vulnerable to attack by a malicious script designed to inject code into a known IE system. Once injected, the rendering control could be used to activate the code under the security context of the Local Computer Zone where it could then gain access to local files.
A particular function within IE does not properly protect against the interaction of two browser frames when those frames are in different domains, including the user's local file system. The lack of protection allows for one frame to pass inform to another where the data passed could be read from the user's local file system and subsequently transmitted offsite.
VENDOR RESPONSE
Microsoft issued FAQ #FQ00-055, Support Online article Q266336, as well as patches for IE 4.x and 5.x.
Microsoft's bulletin states,
"Note: In addition to eliminating the two vulnerabilities discussed above, this
patch also protects against several previously-discussed vulnerabilities. Customers who
apply this patch will also be protected against the vulnerabilities discussed in the
following Security Bulletins:
- Microsoft Security Bulletin MS00-033
- Microsoft Security Bulletin MS00-039
- Microsoft Security Bulletin MS00-049
In addition, for IE 5.5 systems only, this patch also eliminates the vulnerability
discussed in Microsoft Security Bulletin MS00-042.
Note: Customers who install this patch on versions other than IE 5.01, IE 5.01 SP1, or IE
5.5 may receive a message reading "This update does not need to be installed on this
system". This message is incorrect. More information is available in KB article
Q266336.
In addition, the bulletin lists the following references for addition information:
- Frequently Asked Questions: Microsoft Security Bulletin MS00-055,
http://www.microsoft.com/technet/security/bulletin/fq00-055.asp - Microsoft Knowledge Base article Q266336 discusses this issue and will be available soon.
- Microsoft Security Bulletin MS00-033, Patch Available for "Frame Domain
Verification", "Unauthorized Cookie Access", and "Malformed Component
Attribute" Vulnerabilities
http://www.microsoft.com/technet/security/bulletin/ms00-033.asp - Microsoft Security Bulletin MS00-039, Patch Available for "SSL Certificate
Validation" Vulnerabilities
http://www.microsoft.com/technet/security/bulletin/ms00-039.asp - Microsoft Security Bulletin MS00-042, Patch Available for "Active Setup
Download" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-042.asp - Microsoft Security Bulletin MS00-049, Patches Available for "Office HTML" and
"IE Script" Security Vulnerabilities,
http://www.microsoft.com/technet/security/bulletin/ms00-049.asp
CREDIT
Discovered by Juan Carlos
Garcia Cuartango