IE6, IE7, IE8, IE9 vulnerability of XML tangled information leakage will not be fixed

ByWolfgang Lonien

User transition to IE 10 among IE family seems steadily progressing, but today the vulnerability of information leakage became clear to IE 6 ~ IE 9. It is said that this vulnerability is not planned to be modified, JVN providing vulnerability information and its countermeasure recommends upgrade to IE 10 for the relevant user.

JVN # 63901692: Information leak vulnerability in Internet Explorer
http://jvn.jp/jp/JVN63901692/


Internet Explorer has a problem with XML file handling, so when opening a specially crafted XML file as a local file, there is a possibility that contents of another local file may be leaked.

Since the attack is not established unless the user operates "Open XML file as local file", the evaluation value of user involvement is "medium", but it is possible to attack via the Internet, In addition, since it does not require authentication at the time of attack and can attack even without expert knowledge, the risk is considered highly high.


As a workaround, we can alleviate the influence by "Do not save untrusted files on local disk", but Microsoft said there are no plans to fix this vulnerability with any IE. It seems that we are vulnerable at this timing and that Microsoft does not deal with it is a way to encourage the transition, but since Windows 7 or later - Windows Server 2008 R2 or later Windows is used It is safe for people who have upgraded to Internet Explorer 10 promptly.

Furthermore, according to the findings of the other dayThe share of IE 6 is 6.03%, the share of IE 7 is 1.78%, the share of IE 8 is 22.99%, the share of IE 9 is 15.39%As it is said, the scope of influence is likely to be quite wide.