Microsoft IE SSL Cached Content Spoofing

2004-10-12T17:18:16
ID OSVDB:10709
Type osvdb
Reporter Mitja Kolsek(security@acrossecurity.com)
Modified 2004-10-12T17:18:16

Description

Vulnerability Description

Internet Explorer contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered by the improper handling of cached SSL contents, which will disclose information resulting in a loss in confidentiality It will also allow content on SSL-protected websites to be spoofed, resulting in a loss of integrity.

Solution Description

Install Microsoft security update MS04-038, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround:

Change advanced security settings to not save encrypted pages to disk.

  1. In Internet Explorer, click Internet Options on the Tools menu.
  2. Click the Advanced tab.
  3. Under Settings, scroll to Security.
  4. Under Settings, in the Security section, click Do not save encrypted pages to disk.
  5. Click OK two times to return to Internet Explorer.

Short Description

Internet Explorer contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered by the improper handling of cached SSL contents, which will disclose information resulting in a loss in confidentiality It will also allow content on SSL-protected websites to be spoofed, resulting in a loss of integrity.

References:

Security Tracker: 1011642 Secunia Advisory ID:12806 Related OSVDB ID: 10708 Related OSVDB ID: 10710 Related OSVDB ID: 10705 Related OSVDB ID: 10704 Related OSVDB ID: 10706 Related OSVDB ID: 10707 Microsoft Security Bulletin: MS04-038 Microsoft Knowledge Base Article: 834707 ISS X-Force ID: 17651 CVE-2004-0845