Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Gives Hackers Access To User Files

Posted by timothy on from the open-file-my-documents dept.

snydeq writes "Microsoft warned that a flaw in IE gives attackers access to files stored on a PC under certain conditions. 'Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,' Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

11 of 259 comments (clear)

  1. This is bad. by Buelldozer · · Score: 5, Insightful

    When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

    1. Re:This is bad. by jimicus · · Score: 4, Insightful

      Well, if any of those cookies are being used by supposedly secure sites to remember somebody's login so they can conveniently purchase in future, you may well know enough to log into their account on those shopping sites and get their real name, address and purchasing history. From this point, it's not a particularly large step to large-scale identity theft.

    2. Re:This is bad. by girlintraining · · Score: 4, Informative

      When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

      You seem to forget that Windows XP, Vista, and Windows 7 all have file indexing enabled by default. By accessing those hidden .db files, you can get the complete list of filenames in each directory, including the names of the subdirectories in some cases.

      --
      #fuckbeta #iamslashdot #dicemustdie
  2. I wonder... by Ismene · · Score: 5, Insightful

    I wonder how many people have a "passwords.txt" file in their Documents. ;-)

    1. Re:I wonder... by byrdfl3w · · Score: 5, Funny

      Whew! Thanks! I deleted all my password.txt files before some nasty hacker got to me.
      Now I gotta tell my friends about this! Hold on while I log..

      Oh crap.

  3. Flawed by mcgrew · · Score: 4, Insightful

    an attacker may be able to access files with an already known filename and location

    One more reason not to keep your files in "My Documents". That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

    "Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008," it said.

    Does XP have a protected mode? That's the version of Windows most people use IINM. Is this a ploy to get people to upgrade from XP?

    Microsoft hasn't seen any attacks that exploit the flaw and has yet to decide whether to repair the flaw through its monthly security patch release cycle or an urgent, out-of-cycle update.

    Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to. How about doing what every other browser company does and give us the patch NOW?

    --
    Free Martian Whores!
  4. I'm really getting sick of this excuse by apparently · · Score: 4, Insightful

    "The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

    Good thing no one knows to look for: "%USERPROFILE%\My Documents\Quicken\qdata.qdf"

  5. Only under certain circumstances. by 140Mandak262Jamuna · · Score: 4, Funny

    There is nothing to see here folks, move on. The bug kicks in only under certain circumstances. The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  6. Windows.edb = windows search index by electrogeist · · Score: 5, Interesting

    If they grab the windows search index file then they'd have a map to everything else?

    get \ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb (vista)
    or \All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb (xp)

    and http://www.simplecarver.com/tool.php?toolname=Windows Search Index Extractor

  7. Re:Steam by legio_noctis · · Score: 5, Interesting

    Unfortunately, the thread asking for Webkit in Steam at http://forums.steampowered.com/forums/showthread.php?t=861863 demonstrates how clueless the average gamer is about standards etc.

    Some choice quotations:

    "ie is fine"

    "I'd rather not have steam bloated with redundant tech right now."

    "Also W3C != Web Standards, and IE aren't the only ones not complying with the "standards", Firefox didn't comply with all W3C published recommendations either.(Don't know if that's still the case) [...] Microsoft is a business, and they don't want to take the blame because of a third parties inabillity to properly design websites. That is their design goal, and as the W3C isn't enforcable, as it's not considered a standard"

    "It works, it is secure and it isn't that slow"

    "IE is fine, and so was Windows 98."

    "there is nothing wrong with the day-to-day performance of Trident."

  8. financial information vulnerable by commodoresloat · · Score: 4, Funny

    That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

    Oh shit ... hackers can find out how broke I really am!!