High risk : Internet Explorer file:// Request Zone Bypass Vulnerability
Last Updated: May 13 2003 08:33, Started by
Guest_AcidMan_*
, May 13 2003 08:33
·
0

#1
Guest_AcidMan_*
Posted 13 May 2003 - 08:33

Internet Explorer file:// Request Zone Bypass Vulnerability
Risk [COLOR=red] Date Discovered 05-09-2003 Description Internet Explorer is reported to be vulnerable to a zone bypass issue. Allegedly, if Internet Explorer attempts to open a web page containing numerous 'file://' requests each contained in a separate Iframe, the requested file will eventually be executed in the Local Computer zone. Platforms Affected Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server SP2 Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Datacenter Server SP1 Microsoft Windows 2000 Datacenter Server SP2 Microsoft Windows 2000 Professional Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional SP2 Microsoft Windows 2000 Server Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Terminal Services Microsoft Windows 2000 Terminal Services SP1 Microsoft Windows 2000 Terminal Services SP2 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows 98SE Microsoft Windows ME Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows NT Enterprise Server 4.0 SP1 Microsoft Windows NT Enterprise Server 4.0 SP2 Microsoft Windows NT Enterprise Server 4.0 SP3 Microsoft Windows NT Enterprise Server 4.0 SP4 Microsoft Windows NT Enterprise Server 4.0 SP5 Microsoft Windows NT Enterprise Server 4.0 SP6 Microsoft Windows NT Enterprise Server 4.0 SP6a Microsoft Windows NT Server 4.0 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP6a Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT Terminal Server 4.0 SP1 Microsoft Windows NT Terminal Server 4.0 SP2 Microsoft Windows NT Terminal Server 4.0 SP3 Microsoft Windows NT Terminal Server 4.0 SP4 Microsoft Windows NT Terminal Server 4.0 SP5 Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Terminal Server 4.0 SP6a Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Workstation 4.0 SP1 Microsoft Windows NT Workstation 4.0 SP2 Microsoft Windows NT Workstation 4.0 SP3 Microsoft Windows NT Workstation 4.0 SP4 Microsoft Windows NT Workstation 4.0 SP5 Microsoft Windows NT Workstation 4.0 SP6 Microsoft Windows NT Workstation 4.0 SP6a Components Affected Microsoft Internet Explorer 5.5 SP2 Microsoft Internet Explorer 5.5 SP1 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Recommendations Run all client software as a non-privileged user with minimal access rights. Always run Internet Explorer as an unprivileged user. This will limit the consequences of successful exploitation of this and other latent vulnerabilities. Do not follow links provided by unknown or untrusted sources. Exploitation of this vulnerability can be accomplished by following a link to a malicious website or by viewing maliciously crafted HTML email. Caution should be exercised in accepting any communications from unknown or untrusted users. Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] . Microsoft Internet Explorer 5.5 SP2: Microsoft Internet Explorer 5.5 SP1: Microsoft Internet Explorer 5.5: Microsoft Internet Explorer 6.0 SP1: Microsoft Internet Explorer 6.0: References Source: Flooding Internet Explorer 6.0.2800 (6.x?) security zones ![CRITICAL] URL: msg://bugtraq/[email protected] Source: Re: Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! [CRITICAL] URL: msg://bugtraq/[email protected]195.143.217.90 Source: Technet Security URL: http://www.microsoft...ity/default.asp Credits Discovery is credited to "Marek Bialoglowy" |
Anunturi
Bun venit pe Forumul Softpedia!
▶ 0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users