Diary

 

Information Disclosure Vulnerability in Internet Explorer
Share |
Published: 2010-02-03,
Last Updated: 2010-02-04 02:54:07 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

Microsoft just publish KB Article 980088 [1] in response to the recently announced vulnerability in Internet Explorer. Microsoft confirms that it is possible for a malicious website to read files from the clients computer. All versions of Windows and Internet Explorer appear to be affected.

There is currently no patch for this problem. Microsoft advices users to set the Internet and Local Intranet security zone settings to "High". This will cause a prompt before running ActiveX Controlls and active scripting.

The attacker needs to know the file name. However, a typical target for this vulnerability would be a configuration file which is typically located at a predictable location.

[1] http://www.microsoft.com/technet/security/advisory/980088.mspx

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: advisory internet explorer microsoft
8 comment(s)

Comments

"All versions of Windows and Internet Explorer appear to be infected."

You might want to change that to "affected"...
posted by eb, Wed Feb 03 2010, 22:53
No, "infected" sounds better.
posted by cyber armageddon, Wed Feb 03 2010, 23:46
Come on...vulnerable, not infected. What are you going to tell your end users, other than use a different browser?
posted by Richard, Thu Feb 04 2010, 02:29
Thanks Eb, changed the diary.
posted by Mark, Thu Feb 04 2010, 02:55
does anyone have snort signature for this ?
posted by bodik, Thu Feb 04 2010, 08:22
I snorted when I read "All versions of Windows and Internet Explorer appear to be infected." but I'm guessing that's not what you're looking for. :)
posted by dilbert, Thu Feb 04 2010, 13:51
If you want the real info on this vulnerability go here:
http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag
It will actually give you some idea of what you are dealing with.
posted by gman, Fri Feb 05 2010, 00:28
The IE exploit will probably be delivered through heavily obfuscated javascript, so I imagine a Snort signature would be very difficult to write. HIPS/Endpoint protection products are probably better equiped to detect and block it.
posted by Shawn, Fri Feb 05 2010, 22:18
Login here to post a comment. Diary Archive