IE security bug leaves files vulnerable

Microsoft is investigating a security vulnerability in its Internet Explorer browser that could give attackers free rein in reading known files on targeted computers.

The bug is the latest in a long history of vulnerabilities involving the use of Web scripting languages to circumvent browsers' security restrictions. One of the most widely used of these scripting languages, which let Web sites execute one or more actions on visitors' computers, is JavaScript.

Normally, a Web site can point to a local file on a visitor's computer and call that file up in a browser window. Under IE's security restrictions, only the visitor should be able to read it.

But in a scripting sleight of hand demonstrated by Bulgarian bug hunter Georgi Guninski, IE 5.5 lets the Web server inject a JavaScript address into the window displaying that local file--and through that scripting code read targeted files and relay them back to the Web server.

The fault lies in IE's Web Browser control, an ActiveX control that manages the sending and receiving of files. The problem is that the control is handling the JavaScript code in the security context of the visitor's computer, rather than in the Web site server that planted it.

Microsoft said it was investigating the problem but declined to comment further on it or the technologies involved.

Security analysts said the risk from such a scenario was high, and that the frequency of similar vulnerabilities pointed to a fundamental problem with the security models Microsoft and other software companies employed for their consumer products.

"The technology required is not new," SecurityFocus.com analyst Elias Levy wrote in an advisory on the bug to the Bugtraq security mailing list. "It's been available for years in 'trusted' operating systems used for some purposes by the military. Things like compartments, capabilities, privileges, information labels and data tainting need to be adopted by consumer operating systems."