RSS Alerts

Share

More services

Related Links

Related Stories

  • Internet Explorer 8 reaches top browser spot
    Internet Explorer 8 is now the world's most-used browser, according to the latest figures from Network Applications.
  • Internet Explorer zero-day vulnerability spreads to Microsoft Office as fixes surface
    Microsoft has scheduled an out-of-band patch for the zero-day vulnerability in Internet Explorer, just as other fixes for the problem began to surface. The company has also admitted for the first time that the attack could be used to compromise a computer using Microsoft Office.
  • Microsoft promises Internet Explorer patch as Windows zero-day surfaces
    Microsoft has promised an Internet Explorer out-of-band patch for the zero-day vulnerability discovered earlier this month. In the meantime, a trusted researcher has highlighted a flaw in all versions of Microsoft Windows that could lead to privilege escalation.
  • Internet Explorer zero-day code goes public
    The Internet Explorer exploit code used in the Operation Aurora attack against Google and other technology companies has made it into the public domain, and has been incorporated into the Metasploit penetration testing tool, it was revealed this weekend.
  • The State of Smartphone Security
    An awful lot of lip service has been paid to smartphone security. Whereas most industry experts agree that, to date at least, smartphone security threats are mainly hype, that doesn’t mean this won’t change. Davey Winder investigates…

Top 5 Stories

News

New Internet Explorer bug allows personal information to be stolen

04 February 2010

Microsoft has discovered another flaw in Internet Explorer. The latest vulnerability could allow attackers to harvest any files from a victim's hard drive.

The Internet Explorer bug, which Microsoft covered in an advisory released yesterday, can be exploited by a maliciously-crafted website.

"An attacker with knowledge of the precise location of a file on a remote hard drive could redirect the contents of the locally stored file and force the local content to be rendered as an HTML document, making it visible remotely", Microsoft said. Because any files that the user themselves have access to could be harvested if the filename and path is known, it is possible for attackers to harvest the index.dat file, Microsoft added. "This would allow them to view the cookies files on the system, and possibly other cached content."

The vulnerability is exploitable on versions of Internet Explorer that are not running in protected mode. This mode stops the browser from accessing user files or system settings without explicit user consent.

However, protected mode was only introduced as a default option on Windows Vista and Windows 7, with Internet Explorer version 7 and higher. This makes many other versions vulnerable. Microsoft singles out Internet Explorer 5.01 and Internet Explorer 6 on Windows 2000 Service Pack 4, and Internet Explorer 6, 7, and 8 on Windows XP and Windows Server 2003 Service Pack 2.

This will do nothing to help the reputation of Internet Explorer 6, which is not now supported by Google. The operating system shipped with Windows XP, which explains its considerable popularity in the last few years. The operating system still has two-thirds of the personal computer market.

While not allowing for the execution of arbitrary code, this flaw could be used to harvest personal information that could help to mount an identity theft attack.

This article is featured in:
Application Security • Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012