COMMAND
IE
SYSTEMS AFFECTED
Microsoft Internet Explorer 4.x, 5.x
PROBLEM
Following is based on a Microsoft Security Bulletin (MS00-055).
This issue was discovered by Juan Carlos Garcia Cuartango. There
are two vulnerabilities at issue here:
- The "Scriptlet Rendering" vulnerability. The ActiveX control
that is used to invoked scriptlets is essentially a rendering
engine for HTML. However, it will render any file type, rather
than rendering HTML files only. This opens the door to a
scenario in which a malicious web site operator could provide
bogus information consisting of script, solely for the purpose
of introducing it into an IE system file with a known name, then
use the Scriptlet control to render the file. The net effect
would be to make the script run in the Local Computer Zone, at
which point it could access files on the user's local file
system.
- A new variant of the "Frame Domain Verification" vulnerability.
As discussed in Microsoft Security Bulletin MS00-033, two
functions do not enforce proper separation of frames in the same
window that reside in different domains. The new variant
involves an additional function with the same flaw. The net
effect of the vulnerability would be to enable a malicious web
site operator to open two frames, one in his domain and another
on the user's local file system, and enable the latter to pass
information to the former.
In order to exploit either vulnerability, a malicious web site
operator would need to know or guess the exact name and path of
each file he wanted to view. Even then, he could only view file
types that can be opened in a browser window - for instance, .txt
or .doc files, but not .exe or .dat files. If the web site were
in a Zone in which Active Scripting were disabled, neither
vulnerability could be exploited.
SOLUTION
Patch availability
http://www.microsoft.com/windows/ie/download/critical/patch11.htm