A URL decoding vulnerability in Microsoft Internet Explorer may allow remote attackers to bypass zone security restrictions and execute arbitrary code on affected systems.
IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Internet Security Manager Object determines which zone or domain a URL exists in and what actions can be performed.
An attacker may encode the host portion of a URL in a way that results in Internet Explorer evaluating content under the wrong security domain. The URL may contain special characters that are encoded twice, resulting in Internet Explorer evaluating a document on the remote server as belonging to the "My Computer" zone (Local Machine Zone). Internet Explorer may then allow arbitrary code to be executed due to less restrictive permissions in the Local Machine Zone.
Remote attackers may be able to execute arbitrary code with the privileges of a user running Internet Explorer. Attackers may also be able to perform cross-site scripting attacks and mislead users by displaying spoofed URLs. To exploit this vulnerability, the attacker must convince the user to visit a malicious web page.
Apply an update
Thanks to the Microsoft Corporation for reporting this vulnerability, who in turn credit Jouko Pynnönen with reporting the information.
This document was written by Ken MacInnis based primarily on information provided by the Microsoft Corporation.
|Date First Published:||2005-02-08|
|Date Last Updated:||2005-06-14 23:44 UTC|