Microsoft has another IE vulnerability on its hands. But is it a flaw, or is it a feature?
IE’s been having a miserable time of late, starring in scads of headlines about security flaws. Most recently came last week’s monthly security bulletin, a package of fixes for 20 individual problems in Microsoft products.
Included in the IE bulletin were fixes for a pair of COM (Component Object Model) instantiation memory corruption vulnerabilities, and a fix for an FTP server response-parsing memory corruption issue. The issues were rated as critical in versions of the browser previous to its current IE 7 iteration, in which they rank as only “important” or “low.”
The latest issue, discovered by Indian security researcher Rajesh Sethumadhavan, supposedly allows for information disclosure in IE 6 or 7 when a user visits a Web site.
According to an advisory posted by XDisclose, a vulnerability in IE 6 and 7 Windows Service Pack 2 leaves users who browse a malicious Web site, or who open an e-mail with a malicious HTML file, open to the exploit. XDisclose’s advisory maintains that the exploit can be used to access files on an affected system’s hard drive, such as bank information, which can then be displayed on a Web site.
XDisclose has deemed what’s it’s calling a flaw to be critical.
The so-called flaw has to do with the way in which IE handles different html tags. “Microsoft Windows Explorer is not handling various html tags like ‘img’ ‘script’ ’embed’ ‘object’ ‘param’ ‘style’ ‘bgsound’ ‘body’ ‘input’ (Other tags may be also vulnerable). By using the file protocol along with above tags it is possible to access victims’ local files,” the advisory states.
However, a Microsoft spokesperson told eWEEK that the company has already investigated the supposed flaw and determined that, while an attacker could detect the presence of files on an affected system, he or she wouldn’t be able to receive files from that system.
“In addition, the attacker must know the location of the file in advance,” the spokesperson wrote in an e-mail exchange. According to the spokesperson, this behavior is by design in current versions of Internet Explorer.
As far as rating its severity goes, the spokesperson said that Microsoft rates vulnerabilities as critical where that vulnerability can be used to achieve remote code execution. Since that’s not the case here, it’s not rated.
Here’s the design intent behind the behavior: “The ability to render content locally to the computer Internet Explorer is installed on, is a basic set of functionality in Internet Explorer as it allows users to view the contents of files on their system using Internet Explorer,” the spokesperson said. “The fact that a remotely provided link can render the contents of files on a remote system given the exact location of that file is just using this display functionality.”
*Note: This posting was updated on 2/21/07 to include additional input from Microsoft on the nature of IE’s behavior in this case.