Microsoft Internet Explorer Web Folder Behaviors Cross-Domain Scripting Vulnerability

2005-08-09T00:00:00
ID SMNTC-14512
Type symantec
Reporter Symantec Security Response
Modified 2005-08-09T00:00:00

Description

Description

Microsoft Internet Explorer is prone to a security vulnerability that may let a Web page execute malicious script code in the context of an arbitrary domain or browser security zone. This issue is the result of a security flaw in the browser security model when handling URIs when a Web folder view is rendered. If exploited to access a foreign domain, this could allow script code embedded in a malicious Web page to access the properties of another site that the victim of the attack may trust. This would likely be exploited to steal credentials or sensitive information from the victim. The issue could also be exploited to execute arbitrary code by running malicious script code in a browser security zone with lowered security settings, such as the Local Machine, Trusted Sites or Intranet zone. Code execution would occur in the context of the currently logged in user.

Technologies Affected

  • Microsoft Internet Explorer 5.0.1
  • Microsoft Internet Explorer 5.0.1 SP1
  • Microsoft Internet Explorer 5.0.1 SP2
  • Microsoft Internet Explorer 5.0.1 SP3
  • Microsoft Internet Explorer 5.0.1 SP4
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5 SP1
  • Microsoft Internet Explorer 5.5 SP2
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 6.0 SP1
  • Microsoft Internet Explorer 6.0 SP2 do not use

Recommendations

Run all software as a nonprivileged user with minimal access rights.
All non-administrative tasks, such as browsing the Web and reading email, should be performed as an unprivileged user with minimal access rights.

Do not follow links provided by unknown or untrusted sources.
Users should avoid visiting Web sites of questionable integrity or following links provided by an unfamiliar or untrusted source.

Set web browser security to disable the execution of script code or active content.
Disabling support for scripting and active content in the Internet Zone may limit exposure to this and other vulnerabilities.

Microsoft has released fixes to address supported versions of the software. Fixes for Internet Explorer on Windows 98/98SE/ME may be obtained through Windows Update. Microsoft has updated the security bulletin for this issue to reflect the availability of updated fixes. This is due to an issue with Systems Management Server (SMS) and the original fixes. Users who updated using Automatic Update, Windows Update, Microsoft Update, and Windows Server Update Services (WSUS) do not need to re-apply the fixes.