Nasty new IE bug exposes your files (please panic now!)

Microsoft has confirmed a thoroughly revolting vulnerability in all versions of Internet Explorer. It means that bad guys can read your files remotely. In IT Blogwatch, bloggers panic and pray for patches.

By Richi Jennings. February 4, 2010.


Your humble blogwatcher selected these bloggy morsels for your enjoyment. Not to mention embracing life...

    Ryan Naraine loves the smell of vulns. in the morning:

At this week’s Black Hat DC conference ... Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies ... demonstrated how an attacker can read every file of an IE user’s filesystem. ... [He] leveraged different design features of Internet Explorer that can be combined to do serious damage.


IE’s Protected Mode prevents exploitation of this vulnerability. ... The problem does affect every version of the browser but is considered most serious on Windows XP.

Darren Allan adds:

Hot on the heels of the China-Google hacking furore, it seems another issue has raised its ugly head. ... [It] allows an attacker to access a file (or files) on a PC, providing they already know the name of the file and its location.


Meantime, more folks are probably thinking of hopping on the Firefox train, or other alternative browsers.

Microsoft's Jerry Bryant pours oil on troubled waters:

Today we released Security Advisory 980088 to address a publicly disclosed vulnerability in Internet Explorer that may allow Information Disclosure for customers running on Windows XP or who have disabled Internet Explorer Protected Mode. ... [They] can help protect themselves by implementing Network Protocol Lockdown. We have created a Microsoft Fix It to automate this.


We are working to produce an update for this vulnerability and when that is complete, we will take appropriate action to protect customers, which may include releasing an update out-of-band.

Kelly Jackson Higgins talked to Medina:

The attack basically abuses the way features in IE are designed, Medina says, and it only works when a combination of features are abused in the attacks. A single feature can't be abused to wage the attack, he says. It does not, however, allow the attacker to execute code remotely or to control the victim's machine.


"If [the PC is] referred to by its IP address, it will be treated as part of the Internet zone, which brings complications." ... Another step in the attack would trigger an SMB connection between the victim's browser and the attacker's server, which forces a handshake between the two that exposes the victim's Windows user name and other identifying information.

But Shaun Nichols sighs:

The warning is the latest in what has become a string of bad publicity for Microsoft's browser. In January a zero-day flaw for Internet Explorer surfaced which sent Microsoft scrambling to issue an update and lead some security experts to recommend that users swear off the browser entirely.

Nigel Morris-Cotterill explains why it matters:

A "vulnerability in Internet Explorer could allow information disclosure." ... This wording is both obscure and calculated to terrify. ... This is the kind of language that is used by people who draft legislation. ... By Microsoft issuing its "advisory" all companies that operate 2000 or XP (or server 2003) software are now on notice that data is not secure. And so by failing to do something about it, they are failing to take proper care of data.


Under data protection laws in many countries and even individual US states such as California, there are very - VERY - substantial penalties if it turns out that data is lost. The UK, for example, has recently announced that negligent loss of data will incur a civil penalty (i.e. imposed without trial) of up to GBP500,000 per instance.

So what's your take?

Get involved: leave a comment.

    And finally...

Richi Jennings, your humble blogwatcher
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter, or richij on FriendFeed, pretend to be richij's friend on Facebook, or just use good old email:

Don't miss out on IT Blogwatch:

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon