Microsoft Internet Explorer XML redirect could be used to read files

ie-xml-redirect-read-files (9936)

Medium Risk

Description:

Microsoft Internet Explorer could allow a remote attacker to read files on another user's computer, caused by a vulnerability regarding the handling of XML file redirects. A remote attacker could create a malicious Web page that uses a file redirect to reference an external XML source, which could allow the attacker to view contents of remote XML files or portions of other files, if the path to the file on the targeted system is known.

Platforms Affected:

• Microsoft, Internet Explorer 5.01 SP3
• Microsoft, Internet Explorer 5.01 SP4
• Microsoft, Internet Explorer 5.5 SP2
• Microsoft, Internet Explorer 6
• Microsoft, Internet Explorer 6 SP1
• Microsoft, Windows 2000 SP3
• Microsoft, Windows 2000 SP4
• Microsoft, Windows 2003 Server x64
• Microsoft, Windows 2003 Server SP1
• Microsoft, Windows 2003 Server Itanium
• Microsoft, Windows 2003 Server
• Microsoft, Windows 2003 Server SP1 Itanium
• Microsoft, Windows XP 2003 64-bit Itanium
• Microsoft, Windows XP SP1 64-Bit Itanium
• Microsoft, Windows XP SP2
• Microsoft, Windows XP x64-Professional
• Microsoft, Windows XP SP1

Remedy:

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

Consequences:

Obtain Information

References:

• CIAC Information Bulletin M-116, Microsoft Cumulative Patch for Internet Explorer at http://www.ciac.org/ciac/bulletins/m-116.shtml.
• GreyMagic Security Advisory GM#009-IE, Accessing remote/local content in IE at http://sec.greymagic.com/adv/gm009-ie/.
• Microsoft Security Bulletin MS02-047, Cumulative Patch for Internet Explorer (Q323759) at http://www.microsoft.com/technet/security/bulletin/ms02-047.mspx.
• Microsoft Security Bulletin MS02-066, Cumulative Patch for Internet Explorer (Q328970) at http://www.microsoft.com/technet/security/Bulletin/MS02-066.mspx.
• Microsoft Security Bulletin MS02-068, Cumulative Patch for Internet Explorer (324929) at http://www.microsoft.com/technet/security/Bulletin/MS02-068.mspx.
• Microsoft Security Bulletin MS03-004, Cumulative Patch for Internet Explorer (810847) at http://www.microsoft.com/technet/security/bulletin/ms03-004.mspx.
• Microsoft Security Bulletin MS03-015, Cumulative Patch for Internet Explorer (813489) at http://www.microsoft.com/technet/security/bulletin/ms03-015.mspx.
• Microsoft Security Bulletin MS03-020, Cumulative Patch for Internet Explorer (818529) at http://www.microsoft.com/technet/security/bulletin/ms03-020.mspx.
• Microsoft Security Bulletin MS03-032, Cumulative Patch for Internet Explorer (822925) at http://www.microsoft.com/technet/security/bulletin/ms03-032.mspx.
• Microsoft Security Bulletin MS03-040, Cumulative Patch for Internet Explorer (828750) at http://www.microsoft.com/technet/security/bulletin/ms03-040.mspx.
• Microsoft Security Bulletin MS03-048, Cumulative Security Update for Internet Explorer (824145) at http://www.microsoft.com/technet/security/bulletin/ms03-048.mspx.
• Microsoft Security Bulletin MS04-004, Cumulative Security Update for Internet Explorer (832894) at http://www.microsoft.com/technet/security/bulletin/ms04-004.mspx.
• Microsoft Security Bulletin MS04-025, Cumulative Security Update for Internet Explorer (867801) at http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx.
• Microsoft Security Bulletin MS04-038, Cumulative Security Update for Internet Explorer (834707) at http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx.
• Microsoft Security Bulletin MS04-040, Cumulative Security Update for Internet Explorer (889293) at http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx.
• Microsoft Security Bulletin MS05-014, Cumulative Security Update for Internet Explorer (867282) at http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx.
• Microsoft Security Bulletin MS05-020, Cumulative Security Update for Internet Explorer (890923) at http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx.
• Microsoft Security Bulletin MS05-025, http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx at http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx.
• Microsoft Security Bulletin MS05-025, Cumulative Security Update for Internet Explorer (883939) at http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx.
• Microsoft Security Bulletin MS05-038, Cumulative Security Update for Internet Explorer (896727) at http://www.microsoft.com/technet/security/bulletin/ms05-038.mspx.
• Microsoft Security Bulletin MS05-038, Cumulative Security Update for Internet Explorer (896727) at http://www.microsoft.com/technet/security/bulletin/ms05-038.mspx.
• Microsoft Security Bulletin MS05-052, Cumulative Security Update for Internet Explorer (896688) at http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx.
• Microsoft Security Bulletin MS05-052, Cumulative Security Update for Internet Explorer (896688) at http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx.
• Microsoft Security Bulletin MS05-054, Cumulative Security Update for Internet Explorer (905915) at http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx.
• Microsoft Security Bulletin MS05-054, Cumulative Security Update for Internet Explorer (905915) at http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx.
• Microsoft Security Bulletin MS06-004, Cumulative Security Update for Internet Explorer (910620) at http://www.microsoft.com/technet/security/Bulletin/MS06-004.mspx.
• Microsoft Security Bulletin MS06-013, Cumulative Security Update for Internet Explorer (912812) at http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx.
• Microsoft Security Bulletin MS06-021, Cumulative Security Update for Internet Explorer (916281) at http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx.
• Microsoft Security Bulletin MS06-042, Cumulative Security Update for Internet Explorer (918899) at http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx.
• Microsoft Security Bulletin MS06-067, Cumulative Security Update for Internet Explorer (922760) at http://www.microsoft.com/technet/security/bulletin/ms06-067.mspx.
• Microsoft Security Bulletin MS06-072, Cumulative Security Update for Internet Explorer (925454) at http://www.microsoft.com/technet/security/Bulletin/MS06-072.mspx.
• Microsoft Security Bulletin MS07-016, Cumulative Security Update for Internet Explorer (928090) at http://www.microsoft.com/technet/security/Bulletin/ms07-016.mspx.
• Microsoft Security Bulletin MS07-027, Cumulative Security Update for Internet Explorer (931768) at http://www.microsoft.com/technet/security/bulletin/ms07-027.mspx.
• Microsoft Security Bulletin MS07-033, Cumulative Security Update for Internet Explorer (933566) at http://www.microsoft.com/technet/security/bulletin/ms07-033.mspx.
• Microsoft Security Bulletin MS07-045, Cumulative Security Update for Internet Explorer (937143) at http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx.
• Microsoft Security Bulletin MS07-057, Cumulative Security Update for Internet Explorer (939653) at http://www.microsoft.com/technet/security/Bulletin/MS07-057.mspx.
• Microsoft Security Bulletin MS07-069, Cumulative Security Update for Internet Explorer (942615) at http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx.
• Microsoft Security Bulletin MS08-010, Cumulative Security Update for Internet Explorer (944533) at http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx.
• Microsoft Security Bulletin MS08-024, Cumulative Security Update for Internet Explorer (947864) at http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx.
• Microsoft Security Bulletin MS08-031, Cumulative Security Update for Internet Explorer (950759) at http://www.microsoft.com/technet/security/Bulletin/MS08-031.mspx.
• Microsoft Security Bulletin MS08-045, Cumulative Security Update for Internet Explorer (953838) at http://www.microsoft.com/technet/security/bulletin/ms08-045.mspx.
• Microsoft Security Bulletin MS08-058, Cumulative Security Update for Internet Explorer (956390) at http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx.
• BID-13943: Microsoft Internet Explorer XML Redirect Information Disclosure Vulnerability
• BID-5560: Microsoft Internet Explorer XML Redirect File Disclosure Vulnerability
• CVE-2002-0648: The legacy