Thursday, February 4, 2010

IE users - malicious or hacked websites can read any file on your system

The IE flaw I blogged on last week has now been released.

Microsoft warns of new IE data-leakage vulnerability | Zero Day | ZDNet.com
Microsoft today issued a security advisory to acknowledge an information disclosure hole in its Internet Explorer browser and warned that an attacker could exploit the flaw to access files with an already known filename and location.

The vulnerability was first discussed at this week’s Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies. Microsoft says the risk is highest for IE users running Windows XP or who have disabled the browser’s Protected Mode feature.

Medina’s presentation demonstrated how an attacker can read every file of an IE user’s filesystem. The attack scenario leveraged different design features of Internet Explorer that can be combined to do serious damage.

Microsoft has acknowledged the problem and issued a MSRC Security Bulletin, Security Advisory 980088 and a FixIt for the problem, which tells me (a) it's serious and (b) they expect exploitation soon.  The MSKB article also includes .reg files for those who would rather use registry files instead of MS's FixIt. The MSRC Security Bulletin includes a link which downloads the FixIt. Home users should probably use the FixIt. Business users should alert their IT staff to this problem.

This comes on the heels of Krebs-On-Security's disclosure of a years-old way to crash IE6: Another Way to Ditch IE6
This past week, I was reminded of a conversation I had with an ethical hacker I met at the annual Defcon security conference in Las Vegas a couple of years back who showed me what remains the shortest, most elegant and reliable trick I’ve seen to crash the Internet Explorer 6 Web browser.

If you’re curious and have IE6 lying around, type or cut and paste the following into the address bar (that last character is a zero):

ms-its:%F0:

or just click this link with IE6.

I've tested the Krebs link, and it does crash IE6, at least on my Windows-2000 test machine.

The best solution to this for Windows users is to just avoid the use of IE and use Firefox, Chrome, or the Iron Browser instead.

No comments: