Another Internet Explorer vulnerability grants full access to hard drive

The Register has an article on another vulnerability in Internet Explorer and Windows which allows the attacker complete access to the hard drive.

If you use any version of Internet Explorer to surf Twitter or other Web 2.0 sites, Jorge Luis Alvarez Medina can probably read the entire contents of your primary hard drive.

The security consultant at Core Security said his attack works by clicking on a single link that exploits a chain of weaknesses in IE and Windows. Once an IE user visits the booby-trapped site, the webmaster has complete access to the machine’s C drive, including files, authentication cookies – even empty hashes of passwords.

This is not the first time these vulnerabilities have surfaced (and it won’t be the last), but Microsoft cannot completely fix the issues because they use core functions of Windows.

The hole is difficult to close because the attack exploits an array of features IE users have come to rely on to make web application work seamlessly. Simply removing the features could neuter functions such as online file sharing and active scripting, underscoring the age-old tradeoff between a system’s functionality and its security.

1 Response to “Another Internet Explorer vulnerability grants full access to hard drive”


Leave a Reply