CastleCops® - Internet Explorer file:// Request Zone Bypass Vulnerability

Internet Explorer is reported to be vulnerable to a zone bypass issue. Allegedly, if Internet Explorer attempts to open a web page containing numerous 'file://' requests each contained in a separate Iframe, the requested file will eventually be executed in the Local Computer zone.

Components Affected
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 5.5 SP1
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0

Recommendations
Run all client software as a non-privileged user with minimal access rights.
Always run Internet Explorer as an unprivileged user. This will limit the consequences of successful exploitation of this and other latent vulnerabilities.

Do not follow links provided by unknown or untrusted sources.
Exploitation of this vulnerability can be accomplished by following a link to a malicious website or by viewing maliciously crafted HTML email. Caution should be exercised in accepting any communications from unknown or untrusted users.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .
Microsoft Internet Explorer 5.5 SP2:
Microsoft Internet Explorer 5.5 SP1:
Microsoft Internet Explorer 5.5:
Microsoft Internet Explorer 6.0 SP1:
Microsoft Internet Explorer 6.0:

Article continues...
Symantec - Security Response


	2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 139ppm 0.118s (0.006s) Making cybercriminals unhappy since 2002*