Microsoft Confirms New IE Data Leakage Flaw

Author: Ryan Naraine
minute read

Microsoft today issued a security advisory to acknowledge an information disclosure hole in its Internet Explorer browser and warned that an attacker could exploit the flaw to access files
with an already known filename and location.The vulnerability was first discussed at this week’s Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security
Technologies.   Microsoft says the risk is highest for IE users running Windows XP or who have disabled the browser’s Protected Mode feature.

Microsoft today issued a security advisory to acknowledge an information disclosure hole in its Internet Explorer browser and warned that an attacker could exploit the flaw to access files
with an already known filename and location.

The vulnerability was first discussed at this week’s Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security
Technologies.   Microsoft says the risk is highest for IE users running Windows XP or who have disabled the browser’s Protected Mode feature.

Medina’s  presentation demonstrated how an attacker can read every file of an IE user’s filesystem.  The attack scenario leveraged different design features of
Internet Explorer that can be combined to do serious damage.

Here’s more on Medina’s talk from DarkReading’s Kelly Jackson-Higgins:

[Medina] says popular features in IE, such as URL Security Zones
and the browser’s file-sharing protocol, can together be abused to
execute an attack that results in the attacker being able to read all
files on the victim’s machine. Medina plans to release proof-of-concept
code for the attack next month after Black Hat DC, and after Microsoft issues a security update for the attack, which affects IE versions 6 and above, he says.

“These vulnerabilities are just features … the implementation of the
features allow you to obtain certain information, which by itself is
harmless. But when combined together with other features, it renders an
attack vector,” Medina says. The attack requires the user to click on a
malicious link.

According to Microsoft’s advisory,  IE’s Protected Mode prevents exploitation of this vulnerability and is
running by default for versions of Internet Explorer on Windows Vista,
Windows Server 2008, Windows 7, and Windows Server 2008.

The problem does affect every version of the browser and is considered most serious on Windows XP.

The vulnerability exists due to content being forced to render
incorrectly from local files in such a way that information can be
exposed to malicious websites.

For pre-patch mitigations, see the “workarounds” section of Microsoft’s advisory.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.