IE security bug leaves files vulnerable

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1005-200-2710872.html

By Paul Festa
Staff Writer, CNET News.com
September 6, 2000, 12:40 p.m. PT

Microsoft is investigating a security vulnerability in its Internet
Explorer browser that could give attackers free rein in reading known
files on targeted computers.

The bug is the latest in a long history of vulnerabilities involving
the use of Web scripting languages to circumvent browsers' security
restrictions. One of the most widely used of these scripting
languages, which let Web sites execute one or more actions on
visitors' computers, is JavaScript.

Normally, a Web site can point to a local file on a visitor's computer
and call that file up in a browser window. Under IE's security
restrictions, only the visitor should be able to read it.

But in a scripting sleight of hand demonstrated by Bulgarian bug
hunter Georgi Guninski, IE 5.5 lets the Web server inject a JavaScript
address into the window displaying that local file--and through that
scripting code read targeted files and relay them back to the Web
server.

The fault lies in IE's Web Browser control, an ActiveX control that
manages the sending and receiving of files. The problem is that the
control is handling the JavaScript code in the security context of the
visitor's computer, rather than in the Web site server that planted
it.

Microsoft said it was investigating the problem but declined to
comment further on it or the technologies involved.

Security analysts said the risk from such a scenario was high, and
that the frequency of similar vulnerabilities pointed to a fundamental
problem with the security models Microsoft and other software
companies employed for their consumer products.

"The technology required is not new," SecurityFocus.com analyst Elias
Levy wrote in an advisory on the bug to the Bugtraq security mailing
list. "It's been available for years in 'trusted' operating systems
used for some purposes by the military. Things like compartments,
capabilities, privileges, information labels and data tainting need to
be adopted by consumer operating systems."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".