SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#468843

Microsoft Internet Explorer 7 DisableCachingOfSSLPages may not prevent caching

Overview

Setting the Internet Explorer 7 option DisableCachingOfSSLPages may not prevent the caching of SSL-enabled web pages.

I. Description

Administrators and users can set the Internet Explorer DisableCachingOfSSLPages option to prevent sensitive or private data from being saved to disk. The registry key for this setting is:

    HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\DisableCachingOfSSLPages

After enabling this setting, Internet Explorer 7 may still cache SSL-enabled web pages to disk.

II. Impact

Private or sensitive data may be written to disk inadvertently.

III. Solution

We are currently unaware of a practical solution to this problem.

Secure deletion

Securely deleting or encrypting the Internet Explorer 7 browser cache (%userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low) that contains the sensitive information will mitigate this vulnerability.

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable22-Apr-2008

References


http://technet2.microsoft.com/windowsserver/en/library/c07587ec-4a60-4bca-8508-29a4296b72121033.mspx?mfr=true
http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx
http://technet2.microsoft.com/WindowsVista/en/library/58358421-a7f5-4c97-ab41-2bcc61a58a701033.mspx?mfr=true
http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx
http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

Credit

Thanks to Bill KNox from MITRE for reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information

Date Public05/09/2008
Date First Published05/09/2008 07:59:14 AM
Date Last Updated05/09/2008
CERT Advisory 
CVE Name 
US-CERT Technical Alerts 
Metric2.40
Document Revision18

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader