Microsoft warns of IE flaw, turns PC into public file server

jmke · 5th February 2010, 10:48

Microsoft has issued Security Advisory (980088) to address a publicly disclosed vulnerability in Internet Explorer that may allow information disclosure for Windows XP users or for users who have disabled Internet Explorer Protected Mode. The advisory explains that content can be forced to render incorrectly from local files in such a way that information can be exposed to malicious websites.

The vulnerability was discussed in depth at this week's Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies who revealed the issue a day after Microsoft released an out-of-band security bulletin for the browser. Here's the official description of the briefing: "In this presentation we will show how an attacker can read every file of your filesystem if you are using Internet Explorer. This attack leverages different design features of Internet Explorer entailing security risks that, while low if considered isolated, lead to interesting attack vectors when combined altogether. We will also disclose and demonstrate proof of concept code developed for the scenarios proposed."

http://arstechnica.com/microsoft/new...campai gn=rss

5th February 2010, 10:48	#1
jmke Madshrimp Join Date: May 2002 Location: 7090/Belgium Posts: 79,022	Microsoft warns of IE flaw, turns PC into public file server Microsoft has issued Security Advisory (980088) to address a publicly disclosed vulnerability in Internet Explorer that may allow information disclosure for Windows XP users or for users who have disabled Internet Explorer Protected Mode. The advisory explains that content can be forced to render incorrectly from local files in such a way that information can be exposed to malicious websites. The vulnerability was discussed in depth at this week's Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies who revealed the issue a day after Microsoft released an out-of-band security bulletin for the browser. Here's the official description of the briefing: "In this presentation we will show how an attacker can read every file of your filesystem if you are using Internet Explorer. This attack leverages different design features of Internet Explorer entailing security risks that, while low if considered isolated, lead to interesting attack vectors when combined altogether. We will also disclose and demonstrate proof of concept code developed for the scenarios proposed." http://arstechnica.com/microsoft/new...campai gn=rss __________________

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Microsoft warns of TLS/SSL flaw in Windows	jmke	WebNews	0	10th February 2010 14:28
Microsoft patching "Google hack" flaw in IE tomorrow	jmke	WebNews	1	21st January 2010 10:56
Microsoft Patch Tuesday: 5 Criticals, 2 Important, 1 Moderate Patch	jmke	WebNews	0	14th April 2009 19:47
Microsoft plans new entry-level Windows server	jmke	WebNews	0	26th February 2009 17:19
Microsoft Security Bulletin Summary for September 2008	jmke	WebNews	0	9th September 2008 20:20
Microsoft Security Bulletin Summary for August 2007	jmke	WebNews	0	14th August 2007 23:21
Microsoft Security Bulletin Summary for February 2007	jmke	WebNews	0	14th February 2007 01:25
Microsoft Security Bulletin Summary for June 2006	jmke	WebNews	0	14th June 2006 21:51
List of fixes included in Windows XP Service Pack 2	jmke	WebNews	1	17th August 2004 16:03
HP and Microsoft Expand Security Solutions Portfolio	Sidney	WebNews	0	25th May 2004 07:28