Microsoft Internet Explorer Double Slash Cache Zone Bypass Vulnerability

A vulnerability has been reported in Internet Explorer that may allow cached Internet content to be rendered in the My Computer zone. It is possible to exploit this issue by including an extra slash when referencing cached content from within a web page, for example:

[SysDrive]:\\Documents and Settings\[user_name]\Local Settings\Temporary Internet Files\Content.IE5

The extra slash prior to "Documents and Settings" will cause the referenced content to be handled in the context of the My Computer zone. Combined with other vulnerabilities, this issue could lead to execution of arbitrary code on the client system. A proof-of-concept has been released to demonstrate this issue may be exploited with other issues to cause execution of arbitrary code in the context of the client user. It should be noted that the proof-of-concept may only function correctly if the Internet Explorer cache is in the default location.

** A new proof-of-concept has been made available which uses the vulnerability described in BID 9106 to locate the Internet Explorer cache.


Privacy Statement
Copyright 2010, SecurityFocus