IE Flaw Gives Hackers Access To User Files

snydeq writes "Microsoft warned that a flaw in IE gives attackers access to files stored on a PC under certain conditions. 'Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,' Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

Re:c:\Windows\System32\

[radish]

Except as far as I can tell from the advisory, the files are read only.

Re:This is bad.

[girlintraining]

When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

You seem to forget that Windows XP, Vista, and Windows 7 all have file indexing enabled by default. By accessing those hidden .db files, you can get the complete list of filenames in each directory, including the names of the subdirectories in some cases.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Blakey+Rat]

Only one reason as far as I'm concerned - Netflix instant viewing. Won't run in FF at all

It won't? What the hell have I been doing for the last 6 months?! I must be delusional.

Or, more likely, you have your Firefox tweaked all to hell and you're blaming Netflix for your own tinkering. Believe me: it works fine in Firefox.

Re:Flawed

[cbhacking]

Protected Mode requires a substantial change to the process security model. Basically, until Vista/Server 2008, NT followed what was essentially the *NIX security model, where access permissions of a program were determined by the user/group the program was run by. There are differences in implementation between NT and the various POSIX systems, but that's the general idea. The problem is that when the vast majority of your users run with nearly full access to the system, one misbehaved (vulnerable) program can bring everything crashing down.

In NT6 (Vista/Server 2008), Microsoft introduced a new concept of process integrity levels, which are a per-process (rather than per-user) level of security. By default, programs run with medium integrity, which means their access permissions are basically what they were before. High integrity processes, such as system processes or anything run with actual Administrator permissions, can access anything but can't be accessed by lower-integrity programs (which helps prevent elevation of privilege from a non-Admin program.

The relevant datum here is that Internet Explorer runs (by default) with Low integrity, which means it has extremely limited access to the rest of the system. A low-integrity process can't start medium-integrity processes, can't write to the vast majority of the filesystem (there's a special low-integrity folder for things like Temporary Internet Files) or registry, and basically is unable to cause any harm. The trick is, it has these limitations regardless of the permissions of the user who runs the program.

XP can't do that. If you, as a user, can write to a location, any program you start can too (unless you tell Windows to start it as another user). Therefore, since Protected Mode is just Microsoft's term for "this process runs with low integrity" and XP can't *do* low integrity, no, you don't get Protected Mode on XP, and never will (it would require a substantial change to the kernel security subsystem).