|
|
|
|
| |
Credit:
The information has been provided by Jorge Luis Alvarez Medina and Federico Muttis.
The original article can be found at: http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag
|
| |
Vulnerable Systems:
* Internet Explorer 5.01 SP4 on Windows 2000 sp4
* Internet Explorer 6sp1 on Windows 2000 sp4
* Internet Explorer 6sp2 on Windows XP sp2
* Internet Explorer 6sp2 on Windows XP sp3
* Internet Explorer 7 on Windows XP sp2
* Internet Explorer 7 on Windows XP sp3
* Internet Explorer 7 on Windows Vista sp1
* Internet Explorer 7 on Windows Vista sp2
* Internet Explorer 7 on Windows Server 2003 sp2 if Protected Mode is OFF and not using Enhanced Security Configuration
* Internet Explorer 7 on Windows Server 2008 if Protected Mode is OFF and not using Enhanced Security Configuration
* Internet Explorer 8 on Windows XP sp2
* Internet Explorer 8 on Windows XP sp3
* Internet Explorer 8 on Windows Vista sp1 if Protected Mode if OFF
* Internet Explorer 8 on Windows Vista sp2 if Protected Mode is OFF
* Internet Explorer 8 on Windows 7 if Protected Mode if OFF
* Internet Explorer 8 on Windows Server 2003 sp2 if Protected Mode if OFF and not using Enhanced Security Configuration
* Internet Explorer 8 on Windows Server 2008 R2 if Protected Mode is OFF and not using Enhanced Security Configuration
Immune Systems:
* Internet Explorer 7 on Windows Vista/Windows Server 2003/Windows 7 if Protected Mode is ON
* Internet Explorer 8 on Windows Vista/Windows Server 2003 if Protected Mode is ON
* Internet Explorer 8 on Windows Server 2003 if Protected Mode is ON
* Internet Explorer 8 on Windows 7/Windows Server 2008 R2 if Protected Mode is ON
These vulnerabilities can be used in attacks combined with a number of insecure features of Internet Explorer to provide remote access to locally stored files without the need for any further action from the victim after visting a website controlled by the attacker. Exploitation of these vulnerabilities requires enticing users to click on URLs otherwise visit a malicious website controlled by the attacker but no further user interaction is needed. As a result an attacker would gain the ability to read any file stored on the user's desktop system but will not be able to fully compromise it to execute arbitrary code without restrictions.
Workaround:
The vendor has provided guidance on how to address these vulnerabilities in Microsoft Security Advisory (980088):
http://www.microsoft.com/technet/security/advisory/980088.mspx
To prevent exploitation of these vulnerabilities the following mitigations are possible:
Run Internet Explorer with Protected Mode turned ON if it is supported by the operating system. This is default setting for the Internet security zone on Windows Vista, Windows 7 and Windows Server 2008. Note that there may be specific scenarios where protected mode may need to be turned off.
Use Internet Explorer's Network Protocol Lockdown feature control to restrict the 'file:' protocol to prevent HTML content from UNC paths from running scripting or ActiveX controls. Note that Network Protocol Lockdown may affect the functionality of Web applications that rely on relaxed security configurations of IE.
Set the Security Level setting to High for the Internet and Local Intranet security zones to prevent IE from running scripts or ActiveX controls.
Disable Active Scripting for the Internet and Local Intranet zones manually with a custom security setting.
Use a different web browser to navigate untrusted web sites.
Additionally, disabling file sharing if it is not necessary and filtering outbound SMB connections at the endpoint or network perimeter are good security measures to prevent disclosure of sensitive information such as valid user, system and domain names that could be used to perform attacks that abuse the vulnerabilities described in this advisory.
CVE Information:
CVE-2010-0255
Disclosure Timeline:
2009-04-17: Microsoft Notified
2009-08-12: Microsoft's MSRC acknowledged
2010-02-03: Advisory published
|
|
|
|
|
