Microsoft IE NavigateAndFind Function Execute Code (NAFfileJPU)

2003-09-10T00:00:00
ID OSVDB:3096
Type osvdb
Reporter OSVDB
Modified 2003-09-10T00:00:00

Description

Vulnerability Description

Microsoft Internet Explorer allows a remote attacker to obtain sensitive information from a remote machine. The issue is due to a flaw in the NavigateAndFind function and how it operates with the file protocol. An attacker can create a custom HTML document using this function to obtain sensitive information about the system, or execute arbitrary code in a different window.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Disable Active Scripting, ActiveX, and Web site plug-ins.

Short Description

Microsoft Internet Explorer allows a remote attacker to obtain sensitive information from a remote machine. The issue is due to a flaw in the NavigateAndFind function and how it operates with the file protocol. An attacker can create a custom HTML document using this function to obtain sensitive information about the system, or execute arbitrary code in a different window.

References:

Secunia Advisory ID:9711 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-09/0149.html Keyword: NAFfileJPU ISS X-Force ID: 13165 CVE-2003-0816 Bugtraq ID: 8577