Re: Yet another IE aperture

["GreyMagic Security" <security () greymagic com>]

> Georgi Guninski security advisory #71, 2004
> http://www.guninski.com/where_do_you_want_billg_to_go_today_1.html

.. snip ..

> By opening html in IE it is possible to read at least well formed xml from
> arbitrary servers. The info then may be transmitted.

GreyMagic disclosed the EXACT same issue on August 2002, over two years ago.
Microsoft, at the time, took over 6 months to resolve the issue (initially
reported to them on Feb 2002) and eventually released a patch (MS02-047).

See http://www.greymagic.com/security/advisories/gm009-ie/ for more details
and a live PoC (it also shows a neat method to get partial content from
documents that aren't well-formed xml).

That said, all our tests of this issue currently throw an "Access denied"
exception, as they properly should. However, these tests are performed in
the Internet Zone. Your tests might have been performed in another zone that
had "Access data sources across domains" set to "Enabled," which would
enable this vulnerability by design.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html