Vulnerability Note VU#800893

Microsoft Internet Explorer vulnerable to file disclosure via code containing GetObject() function

Original Release date: 14 Dec 2000 | Last revised: 16 Jan 2001


Internet Explorer may disclose files on your computer if you visit a malicious web site or read a mail message with Active Scripting enabled.


By design, Microsoft Internet Explorer prevents programs on web sites from reading files on your computer without authorization. Likewise, by design, Microsoft Outlook and Outlook Express prevent programs embedded in mail messages from reading files on your computer without authorization. One type of program that can be embedded in a web page or mail message is a script written in VBScript. According to the Microsoft VBScript FAQ, "VBScript is intended to be a safe subset of the language, it does not include file I/O or direct access to the underlying operating system. " This restriction on VBScript is intended to allow VBScript programs to operate safely even without strong authentication.

Unfortunately, a flaw in the behavior of the GetObject call in VBScript permits access to files despite the putative restrictions on the VBScript language intself. Specifically, the GetObject call returns a reference to an automation object. Automation objects can be controlled through programmatic interfaces and accessed through well defined properties. The programmatic interface and set of properties are determined by the class of the object. The class of the object is specified in the GetObject call itslef. The call has the following syntax:

GetObject([pathname] [, class])

The pathname paramter is a reference to a file containing the object of interest.

One class is htmlfile. This class indicates the object should be interpreted as an HTML file. One of the properties of an htmlfile object is its Document Object Model, or DOM. A DOM is a model of a document in a web browser that allows programmatic access to the various parts of a document, such as titles, lists of links, or the text of the body.

When the GetObject calls references a file on the local disk and specifies htmlfile as the class, the DOM of that file is subsequently available to VBScript programs (again, despite the restrictive language specification). A malicious VBScript can then return the contents of the document (accessed through the DOM) back to the web site, forward it through electronic mail, or otherwise disclose it.


Malicious web sites or email messages can read files that should be protected.


Until and unless a patch can be developed, we recommend disabling Active Scripting in Internet Explorer in any zone with untrusted hosts. Additionally, we recommend configuring Outlook using the guidelines found in Other products (including third-party products) that respect Internet Explorer security zones should be configured to run VBScript only in trusted zones.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
MicrosoftAffected-14 Dec 2000
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Georgi Guninski discovered this problem and our understanding of it was aided by his work.

This document was written by Shawn Hernan.

Other Information

  • CVE IDs: Unknown
  • Date Public: 26 Sep 2000
  • Date First Published: 14 Dec 2000
  • Date Last Updated: 16 Jan 2001
  • Severity Metric: 6.00
  • Document Revision: 12


If you have feedback, comments, or additional information about this vulnerability, please send us email.