SA11793: Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities
Secunia Advisory: SA11793
Release Date: 2004-06-08
Critical: Extremely critical
Impact: Security Bypass and System access
Two vulnerabilities have been reported in Internet Explorer, which in combination with other known issues can be exploited by malicious people to compromise a user's system.
1) A variant of the "Location:" local resource access vulnerability can be exploited via a specially crafted URL in the "Location:" HTTP header to open local files.
2) A cross-zone scripting error can be exploited to execute files in the "Local Machine" security zone.
Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0. It has been reported that the preliminary SP2 prevents exploitation by denying access.
Successful exploitation requires that a user can be tricked into following a link or view a malicious HTML document. The vulnerabilities are actively being exploited in the wild to install adware on users' systems
Solution: Disable Active Scripting support for all but trusted web sites.