[SEG] Microsoft Internet Explorer "sysimage:" Local File Detection Weakness

08/12/2004 - 19:43 por Windows | Informe spam
(ver "solution" :-)


Microsoft Internet Explorer "sysimage:" Local File Detection Weakness
http://secunia.com/advisories/13396/

Secunia Advisory: SA13396 Print Advisory
Release Date: 2004-12-08

Critical:Not critical
Impact: Exposure of system information
Where: From remote
Solution Status: Partial Fix

Software: Microsoft Internet Explorer 6

Select a product and view a complete list of all Patched/Unpatched
Secunia advisories affecting it.

Description:
Gregory R. Panakkal has discovered a weakness in Internet Explorer,
which can be exploited by malicious people to detect the presence of
local files.

The "sysimage:" URI handler is used for referencing embedded icons in
executable files. The problem is that a website in the "Internet" zone
can reference the URI handler in an image tag. This can be exploited
to determine the presence of local programs using the "onerror" and
"onload" events.

The weakness has been confirmed on a fully patched system with
Internet Explorer 6.0 and Microsoft Windows XP SP1.

Solution:
The weakness does not affect systems running Windows XP with SP2
installed.

Disable Active Scripting Support.

Provided and/or discovered by:
Gregory R. Panakkal
 

Leer las respuestas

#1 JM Tella Llop [MVP Windows]
09/12/2004 - 15:40 | Informe spam
not affect systems running Windows XP with SP2



Jose Manuel Tella Llop
MVP - Windows
(quitar XXX)
http://www.multingles.net/jmt.htm

Este mensaje se proporciona "como está" sin garantías de ninguna clase,
y no otorga ningún derecho.

This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.



"Windows" wrote in message
news:
(ver "solution" :-)


Microsoft Internet Explorer "sysimage:" Local File Detection Weakness
http://secunia.com/advisories/13396/

Secunia Advisory: SA13396 Print Advisory
Release Date: 2004-12-08

Critical:Not critical
Impact: Exposure of system information
Where: From remote
Solution Status: Partial Fix

Software: Microsoft Internet Explorer 6

Select a product and view a complete list of all Patched/Unpatched
Secunia advisories affecting it.

Description:
Gregory R. Panakkal has discovered a weakness in Internet Explorer,
which can be exploited by malicious people to detect the presence of
local files.

The "sysimage:" URI handler is used for referencing embedded icons in
executable files. The problem is that a website in the "Internet" zone
can reference the URI handler in an image tag. This can be exploited
to determine the presence of local programs using the "onerror" and
"onload" events.

The weakness has been confirmed on a fully patched system with
Internet Explorer 6.0 and Microsoft Windows XP SP1.

Solution:
The weakness does not affect systems running Windows XP with SP2
installed.

Disable Active Scripting Support.

Provided and/or discovered by:
Gregory R. Panakkal

Preguntas similares