Another Internet Explorer Vulnerability (…sigh)
Well, here we are again. A few weeks after Microsoft pushed out a critical patch to all versions of Internet Explorer, Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies provided details of another attack against the beleaguered browser. This time, an attacker “may be able to access files with an already known file name and location.” If that sounds a bit scary, it should. It falls into a class of attacks called “Local File Disclosure” and can be exploited by sending the victim to a malicious site at attempts to access files stored on your computer. The attacks leverage different design features of Internet Explorer that can be combined to do serious damage. Secunia has rated this as “Moderately critical“
So what versions are vulnerable this time? Basically all versions of IE on Windows 2000, Windows XP, and Windows 2003 Server (with Enhanced Security Configuration disabled). Protected Mode – a feature of Internet Explorer on Vista, Windows 7, and Windows 2008, prevents the attack from succeeding.
The Microsoft Security Advisory (980088) does contain a few workarounds for those stuck on a vulnerable platform:
- Disable Active Scripting for the Internet Zone
- Enable Network Protocol Lockdown for the file:// protocol (Windows XP only)
So far there are no known attacks in the wild, but we recommend that you take steps to protect your computers if using a vulnerable version.
Resources:
Related posts:
- Tech News – Internet Explorer 8 Edition Internet Explorer 8 Released. Improvements include: Smart Address Bar, Tab...
- Microsoft asks users to abandon IE6, kinda Much has been written about the recent hack targeting Google,...
- 10 very annoying system defaults I was reading 10 seriously annoying default configurations at TechRepublic...
- Use Electrical Outlets or Lasers to capture keystrokes? This has been a week of crazy hacking announcements. CIO.com...