Internet Explorer Information Disclosure Vulnerability

An information disclosure vulnerability exists when Internet Explorer does not properly handle file access permissions, which could allow an attacker to disclose the contents of arbitrary files on the user’s computer. An attacker who successfully exploited the vulnerability could potentially read data that was not intended to be disclosed. Note that the vulnerability would not allow an attacker to execute code or to elevate a user’s rights directly, but the vulnerability could be used to obtain information in an attempt to further compromise the affected system.

In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker’s site.

The update addresses the vulnerability by helping to ensure that file access permissions are properly validated before returning file data to the user.