JVN#78383854: Internet Explorer cross-domain policy bypass

Overview

Internet Explorer contains a flaw that may allow an attacker to bypass cross-domain policies.

Products Affected

The following products without Cumulative Security Update (3134220) are affected.

Internet Explorer 9
Internet Explorer 10
Internet Explorer 11

Description

Internet Explorer contains an information disclosure vulnerability due to a flaw in handling cross-domain policies.

Impact

When a specially crafted content is opened, cross-domain policies may be bypassed and then information of the URL that the user is accessing may be obtained by an attacker.

Solution

Update the Software
This issue was addressed in MS16-009 released on February 10, 2016. Apply the update according to the information provided by Microsoft.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
Microsoft Japan Co.,Ltd.	Vulnerable	2016/02/19	Microsoft Japan Co.,Ltd. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Base Score: 4.3

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:M/Au:N/C:P/I:N/A:N