Published:2013/06/07  Last Updated:2013/06/07

JVN#63901692
Internet Explorer vulnerable to information disclosure

Overview

Internet Explorer contains an information disclosure vulnerability.

Products Affected

  • Internet Explorer 6
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9

Description

Internet Explorer contains an issue in handling XML files, which may result in information disclosure.

Impact

If a user opens a specially crafted XML file as a local file, other local files may be disclosed.

Solution

Upgrade the software
Users of Windows 7 and later, Windows Server 2008 R2 and later, are recommended to upgrade to Internet Explorer 10.

Apply a workaround
The following workaround may mitigate the affects of this vulnerability.

  • Do not save untrusted files onto local disks.
The developer states that there are no plans for this issue to be addressed in Internet Explorer 9 and earlier.

Vendor Status

Vendor Status Last Update Vendor Notes
Microsoft Japan Co.,Ltd. Vulnerable 2013/06/07

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2013.06.07

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Mid
Exploit Complexity little to no expertise and/or luck required to exploit (cross-side scripting).Expected to be the common response
  • High

Description of each analysis measures

Credit

Isayama Takayoshi of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2013-000053