More reading of local files in MSIE

More reading of local files in MSIE

Description

There is a security vulnerability in IE 5.5 and 6 (probably other
versions as well) which allows reading and sending of local files.
The problem lies in the fact that you are able to access a local file's
dom by calling the execScript function on a newly created window
The sample exploit provided can only read browser readable files however
it is highly likely that reading binary files is possible as well
(By attaching an event to the dom that calls the httpxmlcomponent, witch
itself at the point of writing is still vulnerable as well)
In order for this exploit to work the file name must be known.

Risk

High

Systems affected:

The vulnerability has been successfully exploited on
IE 6 / Windows XP with all patches installed
IE 5.5 / Windows ME

Most likely other operating system / internet explorer versions are
vulnerable as well I have not tested it though

Vendor status:

I send Microsoft a cc of my bugtraq post

Example:

A working example is available at
http://www.xs4all.nl/~jkuperus/bug2.htm
Workaround:

Disable active scripting

– Insert some random nasty remarks about Microsoft at the dotted line