Gladiator Research and Security

GSA Reference Number: AD100203-01

Simply Put: A new Internet Explorer (IE) information disclosure vulnerability has been announced by Microsoft.  This vulnerability could allow an attacker to access files in known locations on the victim’s system. For now, no widespread worms or exploit packs are currently using this vulnerability, and Microsoft has stated that they do not know of any attacks currently taking advantage of this vulnerability.  This vulnerability does not affect Internet Explorer running in Protected Mode, which is the default setting on Windows Vista, Windows Server 2008, or Windows 7.  This mode is not available in Windows XP.  A patch has not yet been released by Microsoft.

Attack Details: This attack can be triggered by visiting a maliciously-crafted web site, or a site that accepts user-created content, such as a forum or blog.  According to Microsoft, the attack takes advantage of a bug when rendering certain types of content.  From the workaround suggestions provided by Microsoft, this attack may rely on ActiveX controls to function.  This attack only works if the attacker knows the exact file name and path he is trying to access.  Unfortunately, many sensitive operating system files are located in well known locations.

Countermeasures: Microsoft has not released a patch for this vulnerability at this time.  Running Internet Explorer on an operating system with Protected Mode will prevent this attack.  Operating Systems with Protected Mode include Windows Vista, Windows Server 2008, and Windows 7.  To mitigate this vulnerability in Windows XP, Microsoft recommends users set their Internet and Local Intranet security zones to “high.”  This will force the user to acknowledge all ActiveX controls on a web page before they are allowed to run.

Other mitigating factors are listed in the Microsoft Security Advisory.  Gladiator rates the risk of this vulnerability as Severe.  As such, institutions should examine the risks regarding users browsing the Internet with Internet Explorer at this time.  Using Internet Explorer for business applications is still recommended if those applications are developed for use with Internet Explorer, especially if those applications are hosted internally or provided by trusted vendors or partners.  However, Gladiator recommends users do not use Internet Explorer at this time for general Internet web browsing, such as search engines, social networking sites, or news sites, until a suitable patch has been released and applied.

Reference Links:

• Microsoft Security Advisory (http://www.microsoft.com/technet/security/advisory/980088.mspx)
• SANS ISC Diary Entry (http://isc.sans.org/diary.html?storyid=8152)
• Core Security Advisory (http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag)