A cross-domain scripting vulnerability exists in the way Microsoft Internet Explorer (IE) evaluates Content-Type and Content-Disposition headers and checks for files in the local browser cache. This vulnerability could allow a remote attacker to execute arbitrary script in a different domain, including the Local Machine Zone.
Microsoft Security Bulletin MS03-032 describes a vulnerability in the way IE checks for files in the local browser cache:
A flaw in Internet Explorer could allow a malicious Web site operator to access information in another Internet domain, or on the user's local system by injecting specially crafted code when the browser checks for the existence of files in the browser cache. ...There is a flaw in the way Internet Explorer checks the originating domain when checking for the existence of local files in the browser cache.
An attacker who is able to convince a user to access a specially crafted HTML document, such as an Internet web page or HTML email message, could execute arbitrary script with privileges of the user in the security context of the Local Machine Zone. This technique could be used to read certain types of files in known locations on the user's system. In conjunction with other vulnerabilities (VU#626395, VU#25249), the attacker could execute arbitrary commands on the user's system. The attacker could also determine the path to the Temporary Internet Files folder (cache) and access data from other web sites.
Microsoft credits LAC/SNS for reporting this vulnerability. Information used in this document came from LAC/SNS and Microsoft.
This document was written by Art Manion.