Internet Explorer may disclose files on your computer if you visit a malicious web site or read a mail message with Active Scripting enabled.
By design, Microsoft Internet Explorer prevents programs on web sites from reading files on your computer without authorization. Likewise, by design, Microsoft Outlook and Outlook Express prevent programs embedded in mail messages from reading files on your computer without authorization. One type of program that can be embedded in a web page or mail message is a script written in VBScript. According to the Microsoft VBScript FAQ, "VBScript is intended to be a safe subset of the language, it does not include file I/O or direct access to the underlying operating system. " This restriction on VBScript is intended to allow VBScript programs to operate safely even without strong authentication.
Unfortunately, a flaw in the behavior of the GetObject call in VBScript permits access to files despite the putative restrictions on the VBScript language intself. Specifically, the GetObject call returns a reference to an automation object. Automation objects can be controlled through programmatic interfaces and accessed through well defined properties. The programmatic interface and set of properties are determined by the class of the object. The class of the object is specified in the GetObject call itslef. The call has the following syntax:
Malicious web sites or email messages can read files that should be protected.
Until and unless a patch can be developed, we recommend disabling Active Scripting in Internet Explorer in any zone with untrusted hosts. Additionally, we recommend configuring Outlook using the guidelines found in http://www.microsoft.com/office/outlook/downloads/security.htm. Other products (including third-party products) that respect Internet Explorer security zones should be configured to run VBScript only in trusted zones.
Georgi Guninski discovered this problem and our understanding of it was aided by his work.
|Date First Published:||2000-12-14|
|Date Last Updated:||2001-01-17 04:53 UTC|