search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Microsoft Internet Explorer vulnerable to file disclosure via code containing GetObject() function

Vulnerability Note VU#800893

Original Release Date: 2000-12-14 | Last Revised: 2001-01-17

Overview

Internet Explorer may disclose files on your computer if you visit a malicious web site or read a mail message with Active Scripting enabled.

Description

By design, Microsoft Internet Explorer prevents programs on web sites from reading files on your computer without authorization. Likewise, by design, Microsoft Outlook and Outlook Express prevent programs embedded in mail messages from reading files on your computer without authorization. One type of program that can be embedded in a web page or mail message is a script written in VBScript. According to the Microsoft VBScript FAQ, "VBScript is intended to be a safe subset of the language, it does not include file I/O or direct access to the underlying operating system. " This restriction on VBScript is intended to allow VBScript programs to operate safely even without strong authentication.

Unfortunately, a flaw in the behavior of the GetObject call in VBScript permits access to files despite the putative restrictions on the VBScript language intself. Specifically, the GetObject call returns a reference to an automation object. Automation objects can be controlled through programmatic interfaces and accessed through well defined properties. The programmatic interface and set of properties are determined by the class of the object. The class of the object is specified in the GetObject call itslef. The call has the following syntax:

GetObject([pathname] [, class])

The pathname paramter is a reference to a file containing the object of interest.

One class is htmlfile. This class indicates the object should be interpreted as an HTML file. One of the properties of an htmlfile object is its Document Object Model, or DOM. A DOM is a model of a document in a web browser that allows programmatic access to the various parts of a document, such as titles, lists of links, or the text of the body.

When the GetObject calls references a file on the local disk and specifies htmlfile as the class, the DOM of that file is subsequently available to VBScript programs (again, despite the restrictive language specification). A malicious VBScript can then return the contents of the document (accessed through the DOM) back to the web site, forward it through electronic mail, or otherwise disclose it.

Impact

Malicious web sites or email messages can read files that should be protected.

Solution

Until and unless a patch can be developed, we recommend disabling Active Scripting in Internet Explorer in any zone with untrusted hosts. Additionally, we recommend configuring Outlook using the guidelines found in http://www.microsoft.com/office/outlook/downloads/security.htm. Other products (including third-party products) that respect Internet Explorer security zones should be configured to run VBScript only in trusted zones.

Vendor Information

800893
Expand all

Microsoft

Updated:  December 14, 2000

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Internal testing at the CERT Coordination Center confirms the existence of this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Georgi Guninski discovered this problem and our understanding of it was aided by his work.

This document was written by Shawn Hernan.

Other Information

CVE IDs: None
Severity Metric: 6.00
Date Public: 2000-09-26
Date First Published: 2000-12-14
Date Last Updated: 2001-01-17 04:53 UTC
Document Revision: 12

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.