Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Gives Hackers Access To User Files

Posted by timothy on from the open-file-my-documents dept.

snydeq writes "Microsoft warned that a flaw in IE gives attackers access to files stored on a PC under certain conditions. 'Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,' Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

5 of 259 comments (clear)

  1. This is bad. by Buelldozer · · Score: 5, Insightful

    When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

    1. Re:This is bad. by jimicus · · Score: 4, Insightful

      Well, if any of those cookies are being used by supposedly secure sites to remember somebody's login so they can conveniently purchase in future, you may well know enough to log into their account on those shopping sites and get their real name, address and purchasing history. From this point, it's not a particularly large step to large-scale identity theft.

  2. I wonder... by Ismene · · Score: 5, Insightful

    I wonder how many people have a "passwords.txt" file in their Documents. ;-)

  3. Flawed by mcgrew · · Score: 4, Insightful

    an attacker may be able to access files with an already known filename and location

    One more reason not to keep your files in "My Documents". That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

    "Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008," it said.

    Does XP have a protected mode? That's the version of Windows most people use IINM. Is this a ploy to get people to upgrade from XP?

    Microsoft hasn't seen any attacks that exploit the flaw and has yet to decide whether to repair the flaw through its monthly security patch release cycle or an urgent, out-of-cycle update.

    Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to. How about doing what every other browser company does and give us the patch NOW?

    --
    Free Martian Whores!
  4. I'm really getting sick of this excuse by apparently · · Score: 4, Insightful

    "The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

    Good thing no one knows to look for: "%USERPROFILE%\My Documents\Quicken\qdata.qdf"