Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Gives Hackers Access To User Files

Posted by timothy on from the open-file-my-documents dept.

snydeq writes "Microsoft warned that a flaw in IE gives attackers access to files stored on a PC under certain conditions. 'Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,' Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

11 of 259 comments (clear)

  1. Steam by Anonymous Coward · · Score: 1, Interesting

    Yet another reason for games to stop using IE as their built in patcher/notification/whatever. If you really need to display an HTML file, let the system display it with whatever the configured default is.

    1. Re:Steam by legio_noctis · · Score: 5, Interesting

      Unfortunately, the thread asking for Webkit in Steam at http://forums.steampowered.com/forums/showthread.php?t=861863 demonstrates how clueless the average gamer is about standards etc.

      Some choice quotations:

      "ie is fine"

      "I'd rather not have steam bloated with redundant tech right now."

      "Also W3C != Web Standards, and IE aren't the only ones not complying with the "standards", Firefox didn't comply with all W3C published recommendations either.(Don't know if that's still the case) [...] Microsoft is a business, and they don't want to take the blame because of a third parties inabillity to properly design websites. That is their design goal, and as the W3C isn't enforcable, as it's not considered a standard"

      "It works, it is secure and it isn't that slow"

      "IE is fine, and so was Windows 98."

      "there is nothing wrong with the day-to-day performance of Trident."

  2. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by calmofthestorm · · Score: 2, Interesting

    I read about vulns in Firefox pretty often too. Granted, IE's tend to be stupider and MS's policy of ignoring vulns until they're shoved in their faces with an in-the-wild exploit (and then only patching once a month) is pretty awful, but it's not like other browsers are a magic bullet.

    That said, i wouldn't be caught dead using IE, nor let friends or family do it.

    --
    93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
  3. Re:c:\Windows\System32\ by eln · · Score: 3, Interesting

    The article seems to suggest (although does not explicitly state) that the hacker would be able to read the files, not overwrite them. If that's the case, I don't see why the System32 directory would be that important, unless you keep secret data embedded in your system binaries.

  4. Re:c:\Windows\System32\ by pipatron · · Score: 2, Interesting

    Actually, a very important distinction of the word "access" was not mentioned. This flaw only seem to give read access to the files, so you can not just modify any file you wish.

    It's still a major security flaw, of course, but will be slightly more difficult to exploit. It's great for targeted phishing though. You'll be able to find out a lot about the target.

    --
    c++; /* this makes c bigger but returns the old value */
  5. Windows.edb = windows search index by electrogeist · · Score: 5, Interesting

    If they grab the windows search index file then they'd have a map to everything else?

    get \ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb (vista)
    or \All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb (xp)

    and http://www.simplecarver.com/tool.php?toolname=Windows Search Index Extractor

  6. You mean like... by Sfing_ter · · Score: 3, Interesting

    You mean like...
    C:\users\%username%\AppData\Local\Microsoft\Outlook\outlook.pst?
    hmmm...??? like that?

    --
    A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
  7. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by sopssa · · Score: 3, Interesting

    If a site needs IE today, I don't need that particular site.

    Good luck trying to tell that to your boss.

  8. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by cbs4385 · · Score: 2, Interesting

    I work in the US Health Care Industry, principally making tools for hospitals to use a patients electronic health record. The majority of our clients are forced into using IE6 by their IT departments.
    There's a reason I use my HIPPA rights to make sure my records only live on paper.

  9. Pesky NTOSKRNL.EXE by fibrewire · · Score: 2, Interesting

    Nobody knows where i keep THIS file.

  10. Re:Flawed by drinkypoo · · Score: 3, Interesting

    The difference is that a lot of software which works on Windows XP is broken on Windows 7, including several games that I tried, whereas for the various Loki games that don't work there's Loki_Compat, and for most everything else you have source and can recompile. There's still ample reason to use Windows XP, because for many tasks it is superior to modern Windows. Of course, there are limited cases where this is true for Linux as well, such as when you desire to run OpenMOSIX which AFAIK last worked on 2.4 series kernels.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"