Internet Explorer Allows Access to Local File System


Reported August 9, 2000 by Juan Carlos Garcia Cuartango

  • Microsoft Internet Explorer 4.x
  • Microsoft Internet Explorer 5.x


he ActiveX rendering control that invokes scripts is vulnerable to attack by a malicious script designed to inject code into a known IE system. Once injected, the rendering control could be used to activate the code under the security context of the Local Computer Zone where it could then gain access to local files.

A particular function within IE does not properly protect against the interaction of two browser frames when those frames are in different domains, including the user's local file system. The lack of protection allows for one frame to pass inform to another where the data passed could be read from the user's local file system and subsequently transmitted offsite.


Microsoft issued FAQ #FQ00-055, Support Online article Q266336, as well as patches for IE 4.x and 5.x.

Microsoft's bulletin states,

"Note: In addition to eliminating the two vulnerabilities discussed above, this patch also protects against several previously-discussed vulnerabilities. Customers who apply this patch will also be protected against the vulnerabilities discussed in the following Security Bulletins:
- Microsoft Security Bulletin MS00-033
- Microsoft Security Bulletin MS00-039
- Microsoft Security Bulletin MS00-049
In addition, for IE 5.5 systems only, this patch also eliminates the vulnerability discussed in Microsoft Security Bulletin MS00-042.

Note: Customers who install this patch on versions other than IE 5.01, IE 5.01 SP1, or IE 5.5 may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q266336.

In addition, the bulletin lists the following references for addition information:

Discovered by Juan Carlos Garcia Cuartango

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.