Microsoft Internet Explorer is prone to a cross-domain information-disclosure vulnerability.
An attacker can exploit this issue to access local files or content from a browser window in another domain or security zone. This may allow the attacker to obtain sensitive information or may aid in further attacks.
Credit: Jorge Luis Alvarez Medina and Federico Muttis from Core Security Technologies
The investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location. These versions include Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service 4; Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4; and Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows Server 2003 Service Pack 2. Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008.
The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious Web sites.
The URLMON sniffing vulnerability refers to the variant discovered in the CORE-2008-0826 time line. When loading a local file Internet Explorer’s HTML rendering engine [7] will only check its MIME type to see if it is a positive match on the files it can handle. For unknown types that are treated as HTML because they’ve been referred to by a redirection, content type determination will default to ‘text/html’ in absence of a type explicitly set by the content source. In the case of non-html files for which there isn’t an explicit content-type set, URLMON will default to the ‘text/html’ type as suggested from the redirection. As a result Internet Explorer will end up loading non-html local files and rendering them as HTML and running any scripting code included in the file in the context of the Security Zone assigned to the content’s source.
