Microsoft Internet Explorer Cascading Style Sheets (CSS) can be used to read portions of local files

ie-css-read-files (8740)

Medium Risk

Description:

Microsoft Internet Explorer could allow a remote attacker to read portions of files on other user's systems, caused by a vulnerability in Cascading Style Sheets (CSS). A remote attacker could create a malicious Web page with specially-crafted JavaScript that uses the cssText property of the styleSheet object to obtain portions of any known file on the victim's system that contains invalid CSS attributes.

Platforms Affected:

• MandrakeSoft, Mandrake Linux 8.2
• Microsoft, Internet Explorer 5.01
• Microsoft, Internet Explorer 5.5
• Microsoft, Internet Explorer 6

Remedy:

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

For Mandrake Linux:
Upgrade to the latest Mozilla package as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:074 : mozilla. See References.

Mandrake Linux 8.2: 1.0.1-4.1mdk or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Obtain Information

References:

• BugTraq Mailing List, Fri May 17 2002 - 07:36:00 CDT, RE: Update and comments on the MS02-023 patch, holes still remain at http://archives.neohapsis.com/archives/bugtraq/2002-05/0139.html.
• BugTraq Mailing List, Thu May 16 2002 - 09:20:08 CDT, Update and comments on the MS02-023 patch, holes still remain at http://archives.neohapsis.com/archives/bugtraq/2002-05/0130.html.
• BugTraq Mailing List, Tue Sep 10 2002 - 10:38:28 CDT, IE6 SP1 Notes at http://archives.neohapsis.com/archives/bugtraq/2002-09/0090.html.
• CIAC Information Bulletin M-082, Microsoft Cumulative Patch for Internet Explorer at http://www.ciac.org/ciac/bulletins/m-082.shtml.
• GreyMagic Security Advisory GM#004-IE, Reading portions of local files, depending on structure. at http://security.greymagic.com/adv/gm004-ie/.
• Microsoft Security Bulletin MS02-023, 15 May 2002 Cumulative Patch for Internet Explorer (Q321232) at http://www.microsoft.com/technet/security/bulletin/ms02-023.mspx. (Superseded by MS02-047.)
• Microsoft Security Bulletin MS02-047, Cumulative Patch for Internet Explorer (Q323759) at http://www.microsoft.com/technet/security/bulletin/ms02-047.mspx.
• Microsoft Security Bulletin MS02-066, Cumulative Patch for Internet Explorer (Q328970) at http://www.microsoft.com/technet/security/Bulletin/MS02-066.mspx.
• Microsoft Security Bulletin MS02-068, Cumulative Patch for Internet Explorer (324929) at http://www.microsoft.com/technet/security/Bulletin/MS02-068.mspx.
• Microsoft Security Bulletin MS03-004, Cumulative Patch for Internet Explorer (810847) at http://www.microsoft.com/technet/security/bulletin/ms03-004.mspx.
• Microsoft Security Bulletin MS03-015, Cumulative Patch for Internet Explorer (813489) at http://www.microsoft.com/technet/security/bulletin/ms03-015.mspx.
• Microsoft Security Bulletin MS03-020, Cumulative Patch for Internet Explorer (818529) at http://www.microsoft.com/technet/security/bulletin/ms03-020.mspx.
• Microsoft Security Bulletin MS03-032, Cumulative Patch for Internet Explorer (822925) at http://www.microsoft.com/technet/security/bulletin/ms03-032.mspx.
• Microsoft Security Bulletin MS03-040, Cumulative Patch for Internet Explorer (828750) at http://www.microsoft.com/technet/security/bulletin/ms03-040.mspx.
• Microsoft Security Bulletin MS03-048, Cumulative Security Update for Internet Explorer (824145) at http://www.microsoft.com/technet/security/bulletin/ms03-048.mspx.
• Microsoft Security Bulletin MS04-004, Cumulative Security Update for Internet Explorer (832894) at http://www.microsoft.com/technet/security/bulletin/ms04-004.mspx.
• Microsoft Security Bulletin MS04-025, Cumulative Security Update for Internet Explorer (867801) at http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx.
• Microsoft Security Bulletin MS04-038, Cumulative Security Update for Internet Explorer (834707) at http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx.
• Microsoft Security Bulletin MS04-040, Cumulative Security Update for Internet Explorer (889293) at http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx.
• Microsoft Security Bulletin MS05-014, Cumulative Security Update for Internet Explorer (867282) at http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx.
• Microsoft Security Bulletin MS05-020, Cumulative Security Update for Internet Explorer (890923) at http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx.
• Microsoft Security Bulletin MS05-025, Cumulative Security Update for Internet Explorer (883939) at http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx.
• Microsoft Security Bulletin MS05-038, Cumulative Security Update for Internet Explorer (896727) at http://www.microsoft.com/technet/security/bulletin/ms05-038.mspx.
• Microsoft Security Bulletin MS05-052, Cumulative Security Update for Internet Explorer (896688) at http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx.
• Microsoft Security Bulletin MS05-054, Cumulative Security Update for Internet Explorer (905915) at http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx.
• Microsoft Security Bulletin MS06-004, Cumulative Security Update for Internet Explorer (910620) at http://www.microsoft.com/technet/security/Bulletin/MS06-004.mspx.
• Microsoft Security Bulletin MS06-013, Cumulative Security Update for Internet Explorer (912812) at http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx.
• Microsoft Security Bulletin MS06-021, Cumulative Security Update for Internet Explorer (916281) at http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx.
• Microsoft Security Bulletin MS06-042, Cumulative Security Update for Internet Explorer (918899) at http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx.
• Microsoft Security Bulletin MS06-067, Cumulative Security Update for Internet Explorer (922760) at http://www.microsoft.com/technet/security/bulletin/ms06-067.mspx.
• Microsoft Security Bulletin MS06-072, Cumulative Security Update for Internet Explorer (925454) at http://www.microsoft.com/technet/security/Bulletin/MS06-072.mspx.
• Microsoft Security Bulletin MS07-016, Cumulative Security Update for Internet Explorer (928090) at http://www.microsoft.com/technet/security/Bulletin/ms07-016.mspx.
• Microsoft Security Bulletin MS07-027, Cumulative Security Update for Internet Explorer (931768) at http://www.microsoft.com/technet/security/bulletin/ms07-027.mspx.
• Microsoft Security Bulletin MS07-033, Cumulative Security Update for Internet Explorer (933566) at http://www.microsoft.com/technet/security/bulletin/ms07-033.mspx.
• Microsoft Security Bulletin MS07-045, Cumulative Security Update for Internet Explorer (937143) at http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx.
• Microsoft Security Bulletin MS07-057, Cumulative Security Update for Internet Explorer (939653) at http://www.microsoft.com/technet/security/Bulletin/MS07-057.mspx.
• Microsoft Security Bulletin MS07-069, Cumulative Security Update for Internet Explorer (942615) at http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx.
• Microsoft Security Bulletin MS08-010, Cumulative Security Update for Internet Explorer (944533) at http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx.
• Microsoft Security Bulletin MS08-024, Cumulative Security Update for Internet Explorer (947864) at http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx.
• Microsoft Security Bulletin MS08-031, Cumulative Security Update for Internet Explorer (950759) at http://www.microsoft.com/technet/security/Bulletin/MS08-031.mspx.
• Microsoft Security Bulletin MS08-045, Cumulative Security Update for Internet Explorer (953838) at http://www.microsoft.com/technet/security/bulletin/ms08-045.mspx.
• Microsoft Security Bulletin MS08-058, Cumulative Security Update for Internet Explorer (956390) at http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx.
• BID-4411: Microsoft Internet Explorer Cascading Style Sheet File Disclosure Vulnerability
• CVE-2002-0191: Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to view arbitrary files that contain the { character via script containing the cssText property of the stylesheet object, aka Local Information Disclosure through HTML Object vulnerability.

Reported:

Apr 02, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page