Explorer MUY VULNERABLE

09/11/2004 - 14:47 por hptella | Informe spam
Microsoft Internet Explorer "res:" URI Handler File Identification
Vulnerability

Secunia Advisory: SA13124 Print Advisory
Release Date: 2004-11-09

Critical:
Not critical
Impact: Exposure of system information
Where: From remote
Solution Status: Partial Fix

Software: Microsoft Internet Explorer 6

Select a product and view a complete list of all Patched/Unpatched
Secunia advisories affecting it.

Description:
Benjamin Tobias Franz has discovered a vulnerability in Internet Explorer,
which can be exploited by malicious sites to detect the presence of local
files.

The problem is that an "Access is Denied" error will be returned if a site
in the "Internet" zone tries to open an existing local file in the search
window using the "res:" URI handler. This can be exploited to determine
the presence of specific programs or files in the system directories and
on the desktop.

The vulnerability has been confirmed on a fully patched system with
Internet Explorer 6.0 and Microsoft Windows XP SP1.

Solution:
The vulnerability does not affect systems running Windows XP with SP2
installed.

Disable Active Scripting Support.

Provided and/or discovered by:
Benjamin Tobias Franz


Please note: The information, which this Secunia Advisory is based upon,
comes from third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued
by security research groups, vendors, and others.
 

Leer las respuestas

#1 JM Tella Llop [MVP Windows]
09/11/2004 - 15:00 | Informe spam
Jose Manuel Tella Llop
MVP - Windows
(quitar XXX)
http://www.multingles.net/jmt.htm

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.



"HP Tella LLop [MVI Windows[" wrote in message news:
Microsoft Internet Explorer "res:" URI Handler File Identification
Vulnerability

Secunia Advisory: SA13124 Print Advisory
Release Date: 2004-11-09

Critical:
Not critical
Impact: Exposure of system information
Where: From remote
Solution Status: Partial Fix

Software: Microsoft Internet Explorer 6

Select a product and view a complete list of all Patched/Unpatched
Secunia advisories affecting it.

Description:
Benjamin Tobias Franz has discovered a vulnerability in Internet Explorer,
which can be exploited by malicious sites to detect the presence of local
files.

The problem is that an "Access is Denied" error will be returned if a site
in the "Internet" zone tries to open an existing local file in the search
window using the "res:" URI handler. This can be exploited to determine
the presence of specific programs or files in the system directories and
on the desktop.

The vulnerability has been confirmed on a fully patched system with
Internet Explorer 6.0 and Microsoft Windows XP SP1.

Solution:
The vulnerability does not affect systems running Windows XP with SP2
installed.

Disable Active Scripting Support.

Provided and/or discovered by:
Benjamin Tobias Franz


Please note: The information, which this Secunia Advisory is based upon,
comes from third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued
by security research groups, vendors, and others.

Preguntas similares