Attackers could exploit a new security hole in Internet Explorer
(IE) to access local files on targeted systems, Microsoft confirmed
Tuesday. Proof-of-concept exploit code is available for the flaw.
The problem, discovered by
vulnerability researcher Rajesh Sethumadhavan, is that the
browser mishandles certain html tags. The flaw, he wrote in his
analysis, "could be exploited by a malicious remote user to obtain
sensitive local files from the victim's computer."
Sethumadhavan said the flaw exists in IE 6, and security firms
such as Cupertino, Calif.-based Symantec Corp. and Redwood Shores,
Calif.-based Qualys Inc. have independently confirmed it.
Specifically, the problem occurs when Internet Explorer handles
the following html tags:
- img
- script
- embed
- object
- param
- style
- bgsound
- body
- input
If these tags are preceded by the file protocol specification, a
remote attacker can access arbitrary local files on a victim's
system.
Late Tuesday, a Microsoft spokeswoman confirmed that the
software giant is also aware of the problem.
"Microsoft has completed its investigation of new public reports
of a possible vulnerability in Internet Explorer [and] has
confirmed that this behavior could allow for information disclosure
when a user visits a Web site," she said in an email exchange.
However, she added, "An attacker could not receive files from an
affected system, but would only be able to detect the presence of
files. In addition, the attacker must know the location of the file
in advance."
To mitigate the risk, Symantec recommended users run all
software and the Web client as a non-privileged user with minimal
access rights and avoid links provided by unknown or untrusted
sources. Users should also refrain from visiting sites of
questionable integrity, Symantec said.