A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to gain knowledge of sensitive information. This issue is caused due to the browser failing to prevent local content from being rendered as HTML via the "file://" protocol, which could allow attackers to access files with an already known filename and location on a vulnerable system and e.g. read the contents of the "index.dat", which would allow them to view the cookies files on the system, and possibly other cached content by tricking a user into visiting a specially crafted web page.

Note : The vulnerability only affects browsers that are not running in Protected Mode. This mode is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008.

Affected Products

Microsoft Internet Explorer 5.x
Microsoft Internet Explorer 6.x
Microsoft Internet Explorer 7.x
Microsoft Internet Explorer 8.x

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista
Microsoft Windows Server 2008 R2 (x64)
Microsoft Windows Server 2008 R2 (Itanium)
Microsoft Windows Server 2008 (x64) Service Pack 2
Microsoft Windows Server 2008 (x64)
Microsoft Windows Server 2008 (Itanium) Service Pack 2
Microsoft Windows Server 2008 (Itanium)
Microsoft Windows Server 2008 (32-bit) Service Pack 2
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows 7 (x64)
Microsoft Windows 7 (32-bit)

Solution

Apply patch and Enable Internet Explorer Network Protocol Lockdown :
http://www.microsoft.com/technet/security/Bulletin/MS10-035.mspx
http://support.microsoft.com/kb/980088

References

http://www.vupen.com/english/advisories/2010/0291
http://www.microsoft.com/technet/security/Bulletin/MS10-035.mspx
http://www.microsoft.com/technet/security/advisory/980088.mspx
http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag

In-depth Binary Analysis

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 

Private Exploit or PoC

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 

Credits

Vulnerability reported by Jorge Luis Alvarez Medina and Federico Muttis (Core Security Technologies).

Changelog

2010-02-04 : Initial release
2010-06-08 : Updated Solution

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.