COMMAND

    MS Internet Explorer

SYSTEMS AFFECTED

    MS IE 5.0

PROBLEM

    Georgi  Guninski  found  following.   There  is  a security bug in
    Internet Explorer 5.0 which circumvents "Cross-frame security" and
    opens several security holes.  This is a modification of the  "%01
    security bug" (that was fixed in IE 5.0) Georgi found in  January.
    The problem seems  to be in  the "Microsoft Scriptlet  Component".
    If  you  add  '%01someURL'  after  the  URL you pass to "Microsoft
    Scriptlet Component", IE thinks  that the document is  loaded from
    the domain of 'someURL'.  Some of the vulnerabilities are:

    1) IE allows reading local files and sending them to an  arbitrary
       server.  The filename must be known.  The bug may be  exploited
       using HTML mail message.  Demo is available at:

        http://www.nat.bg/~joro/scriptlet.html

    2) IE allows "window spoofing".
       After visiting a  hostile page (or  clicking a hostile  link) a
       window is opened and its location is a trusted site.   However,
       the content of the window is not that of the original site, but
       it is  supplied by  the owner  of the  page.   So, the  user is
       misled he is browising a  trusted site, while he is  browsing a
       hostile page  and may  provide sensitive  information, such  as
       credit card number.  The  bug may be exploited using  HTML mail
       message.  Demo is available at:

        http://www.nat.bg/~joro/scrspoof.html

    This problem exists on both versions of IE5 that have been  tested
    5.00.0708.700 [ships  with Windows  2000 Beta  2 build 5.00.1877],
    and 5.00.2014.0216 [a public release].

    There a way to exploit this with files that are not recognized  as
    text.  You  must use TDC  to read files  with extensions different
    from  .txt  or  .html.   Demonstration  of reading AUTOEXEC.BAT is
    available at:

        http://www.nat.bg/~joro/scrauto.html

SOLUTION

    Workaround: Disable Javascript.  Hopefully this can't be exploited
    against anything but text files  as it's not terribly likely  that
    you have any  sensitive information sitting  around in text  files
    whose names are likely to be guessed.

    Microsoft highly recommends that customers evaluate the degree  of
    risk that this vulnerability poses to their systems and  determine
    whether  to  download  and  install  the  patch.  The patch can be
    found at

        http://www.microsoft.com/windows/ie/security/mshtml.asp