Today we released MS10-035, a security update with an Important severity update, addressing CVE-2010-0255. We’d like to talk briefly about that specific vulnerability and how we’ve addressed it.
This issue primarily impacts Internet Explorer running on Windows XP. Attacks against Internet Explorer running on Windows Vista and newer platforms are mitigated by Internet Explorer Protected Mode. This issue involves an attacker navigating directly to the user’s cache index file, index.dat, via a UNC path. Script planted in index.dat could in some cases execute in a security context enabling read access to other content on the local filesystem. Internet Explorer Protected Mode is a powerful mitigation because it disables the ability to access resources on the local filesystem via UNC paths, by default.
How would someone take advantage of this vulnerability?
An attack would involve malicious web content navigating a victim’s browser to a UNC path referencing index.dat on the local filesystem. Script planted within index.dat would then be able to read data from other local files on the machine. The attacker could then access files in predictable paths assuming the files were not locked for read or otherwise inaccessible. (e.g., restricted for read by the current user due to ACLs.)
All mitigations discussed in the following blog post would apply to CVE-2010-0255 as well:
MS09-019 (CVE-2009-1140): Benefits of IE Protected Mode, Additional Network Protocol Lockdown workaround
Specifically, besides Internet Explorer Protected Mode, Network Protocol Lockdown can be used to prevent exploitation of this issue.
The code change being made to address CVE-2010-0255 is also present on Windows Vista and newer platforms simply because users or administrators may have manually disabled Internet Explorer Protected Mode. Future attack scenarios may result in further code changes, though we anticipate that Internet Explorer Protected Mode will continue to provide protection against this overall threat class.
Thanks to Chengyun Chu for his contribution to this blog post.
- David Ross, MSRC Engineering
*Posting is provided "AS IS" with no warranties, and confers no rights.*