Security Guide for Windows - Cross-domain Validation Flaw Can Allow Web Pages to Read Local Files

Guides
Products
- Security Products
- Spyware Doctor
- Spyware Doctor with AntiVirus
- PC Tools AntiVirus
- PC Tools Internet Security
- PC Tools Firewall Plus
- ThreatFire
- Spam Monitor
- iAntiVirus for Mac OS X
- PC Tools Security for Netbooks
- Utility Products
- Registry Mechanic
- Desktop Maestro
- File Recover
- Privacy Guardian
- PC Tools Disk Suite
- Help me choose
Download
- Security Products
- Spyware Doctor
- Spyware Doctor with AntiVirus
- PC Tools AntiVirus
- PC Tools Internet Security
- PC Tools Firewall Plus
- ThreatFire
- Spam Monitor
- iAntiVirus for Mac OS X
- Utility Products
- Registry Mechanic
- Desktop Maestro
- File Recover
- Privacy Guardian
- PC Tools Disk Suite
- Help me choose
Purchase
- Security Products
- Spyware Doctor
- Spyware Doctor with AntiVirus
- PC Tools AntiVirus
- PC Tools Internet Security
- ThreatFire
- Spam Monitor
- iAntiVirus for Mac OS X
- PC Tools Security for Netbooks
- Utility Products
- Registry Mechanic
- Desktop Maestro
- File Recover
- Privacy Guardian
- PC Tools Disk Suite
- Help me choose
Support
Company
- Awards
- Careers
- Contact
- Labs
- News
- Partners
- Industry News
- Press


	Features Registry Guide Software Guide Scripting Guide Driver Guide Support Forums Newsletters Password Tool Downloads Dictionary Spyware Doctor PC Tools AntiVirus Firewall Plus


	Newsletter Receive regular Windows® updates Your privacy is ensured by our privacy policy

Security Home > Internet Explorer

Cross-domain Validation Flaw Can Allow Web Pages to Read Local Files New

A security flaw exists in the cross-domain script validation which should prohibit scripts from accessing the content of frames in another site or domain. This vulnerability may allow a remote attacker to view local files or form information entered into other sites.

Issue

Frames are used in Internet Explorer to provide for a fuller browsing experience. By design, scripts in the frame of one site or domain should be prohibited from accessing the content of frames in another site or domain. However, a flaw exists in how VBScript is handled in IE relating to validating cross-domain access. This flaw can allow scripts of one domain to access the contents of another domain in a frame.

A malicious user could exploit this vulnerability by using scripting to extract the contents of frames in other domains, then sending that content back to their web site. This would enable the attacker to view files on the user's local machine or capture the contents of third-party web sites the user visited after leaving the attacker’s site. The latter scenario could, in the worst case, enable the attacker to learn personal information like user names, passwords, or credit card information.

In both cases, the user would either have to go to a site under the attacker's control or view an HTML email sent by the attacker. In addition, the attacker would have to know the exact name and location of any files on the user's system. Further, the attacker could only gain access to files that can be displayed in a browser window, such as text files, HTML files, or image files.

Affected Products

Microsoft Internet Explorer 5.01, 5.5 and 6.0

Solution

Download and install the patch below or access Windows Update to automatically install the necessary patches.

Download

Patch: http://www.microsoft.com/windows/ie/downloads/critical/q318089/default.asp

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: February 21, 2002

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<

Search Guides

Issue

Affected Products

Solution

Download

Further Details