Microsoft IE Scriptlet Invoking ActiveX Arbitrary File Access

2000-12-01T00:00:00
ID OSVDB:7820
Type osvdb
Reporter Juan Carlos Garcia Cuartango()
Modified 2000-12-01T00:00:00

Description

Vulnerability Description

Microsoft Internet Explorer contains a flaw that may lead to an unauthorized information disclosure. The ActiveX control used for invoking scriptlets can be used to render arbitrary file types instead of strictly HTML files, which could allow a malicious web site operator to create a script that would access arbitrary files on the victim's system resulting in a loss of confidentiality.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Short Description

Microsoft Internet Explorer contains a flaw that may lead to an unauthorized information disclosure. The ActiveX control used for invoking scriptlets can be used to render arbitrary file types instead of strictly HTML files, which could allow a malicious web site operator to create a script that would access arbitrary files on the victim's system resulting in a loss of confidentiality.

References:

Vendor URL: http://www.microsoft.com/ Vendor Specific Solution URL: http://www.microsoft.com/windows/ie/downloads/critical/patch11/default.asp Microsoft Security Bulletin: MS00-055 Microsoft Security Bulletin: MS00-093 Keyword: aka a variant of the "Scriptlet Rendering" vulnerability ISS X-Force ID: 6085 CVE-2001-0091 Bugtraq ID: 1564