Unless I'm reading the MS advisory wrong, which I have been guilty of before, this would not work unless you fill in "<user>" and document with valid names. It doesn't appear to allow directory browsing.
From: Jonathan Link [mailto:[email protected]] Sent: Thursday, February 04, 2010 2:34 PM To: NT System Admin Issues Subject: Re: IE info-disclosure bug disclosed at Black Hat c:\documents and settings\<user>\My Documents c:\users\<user>\Documents Many companies, especially small companies store their data here. Our users for the most part store data here for staging purposes when they are out in the field performing an audit. Eventually it gets cleaned out when incorporated into our engagement management software. On Thu, Feb 4, 2010 at 1:42 PM, Carl Houseman <[email protected]> wrote: Secunia doesn't seem to think it's that critical, certainly not in the same league as system-takeover problems. Name any well known data file on my computer that would cause me "super critical" harm if disclosed. Don't bother with the local SAM, they can have it, since there's no remote access via a local account. Carl -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Thursday, February 04, 2010 12:29 PM To: NT System Admin Issues Subject: Re: IE info-disclosure bug disclosed at Black Hat Super critical, because paths to many well-known data files are always the same. On Thu, Feb 4, 2010 at 09:10, Carl Houseman <[email protected]> wrote: > It's not IE6, it's any version of IE that's not in "protected mode" (so, any > version of IE on XP, and or an elevated or UAC-disabled IE under Vista/7). > > Seems not that super-critical since exploit must know a complete path to a > specific file that's going to be revealed. > > Carl > > -----Original Message----- > From: Angus Scott-Fleming [mailto:[email protected]] > Sent: Thursday, February 04, 2010 11:57 AM > To: NT System Admin Issues > Subject: IE info-disclosure bug disclosed at Black Hat > > MSRC bulletin released, MS Security Advisory released, ZDNet Zero-Day has a > story. > > An information-leakage problem in Internet Explorer has been disclosed > at > this week's Black Hat conference. It seems that if you use Internet > Explorer to surf the Internet, the Bad Guys can now read ANY FILE on > your > hard drive. Details and info on a Microsoft-issued "FixIt" solution are > > in the latest blog entry at http://geoapps.blogspot.com/ -- so if you > use > IE, especially IE6, please go read up on this and get patching. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
