Microsoft Internet Explorer Cross-Domain Information Disclosure Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	06/08/2010
Severity:	High
Operating Systems Affected:	Microsoft Windows 2000 Service Pack 4 Windows XP SP 2 Windows XP SP 3 Windows XP Professional x64 Edition SP 2 Windows Server 2003 SP 2 Windows Server 2003 x64 Edition SP 2 Windows Server 2003 SP2 for Itanium-based Systems Windows Vista SP 1 Windows Vista SP 2 Windows Vista x64 Edition SP 1 Windows Vista x64 Edition SP 2 Windows Server 2008 for 32-bit Systems Windows Server 2008 for 32-bit Systems SP 2 Windows Server 2008 for x64-based Systems Windows Server 2008 for x64-based Systems SP 2 Windows Server 2008 for Itanium-based Systems Windows Server 2008 for Itanium-based Systems SP 2
Application Affected:	Internet Explorer 5.01 Service Pack 4 Internet Explorer 6 Service Pack 1 Internet Explorer 6 Internet Explorer 7 Internet Explorer 8
Identifiers:	CVE-2010-0255

Synopsis

Microsoft Internet explorer is prone to information disclosure vulnerability which could allow an attacker to view content from the local computer or a browser window in another domain or Internet Explorer zone.

Recommended Actions

Update the patches as guided by vendor at :
http://www.microsoft.com/technet/security/bulletin/MS10-035.mspx

Threat Analysis

Information disclosure vulnerability exists in Microsoft Internet explorer. Vulnerability is caused due to improper sanitization while calling cached content. Due to this Internet Explorer domain restriction are bypassed.

A remote attacker could exploit the vulnerability by tricking the user to visit a specially crafted Web page that could allow information disclosure. Successful exploitation of the vulnerability could allow an attacker to view content from the local computer or a browser window in another domain or Internet Explorer zone.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0255

Write-up by: Anupam Kumar