Microsoft Internet Explorer contains a cross-domain vulnerability in how it handles redirected object data. This could allow an attacker to access the content of a web page in a different domain.
The Cross-Domain Security Model
IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Internet Security Manager Object determines which zone or domain a URL exists in and what actions can be performed. From Microsoft Security Bulletin MS03-048:
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker may be able to obtain access to web content in another domain. The impact is similar to that of a cross-site scripting vulnerability. For a more detailed description of the impact of cross-site scripting vulnerabilities, please see CERT Advisory CA-2000-02.
Apply an update
This vulnerability was publicly disclosed by Plebo Aesdi Nael.
This document was written by Will Dormann.
|Date First Published:||2006-06-28|
|Date Last Updated:||2006-08-08 17:50 UTC|