Looks like 2002 is starting off the way 2001 was going, with resident IE and bug hunter/guru, George Guninski, having found another hole in IE, this time relating to an earlier bug, the GetObject(), which he first reported back on the 26th September 2000, allowing an outside attacker to view known files on a remote system.
The original vulnerability was due to a flaw in Windows Script Host (WSH), WSH does not properly verify a domain for certain requests in IE and Outlook Express. This flaw just side steps the patch that was developed by Microsoft for the WSH.
Description:
IE allows reading local files due to a bug in GetObject().
Reading local files may lead to executing arbitrary programs.
Vunerable systems:
IE 6.0, IE 5.5sp2, IE 5.5sp1, IE 5.5, running on Win95/98/ME/NT/2k
The new bug is quite similar to the George Guninski: GetObject() expose user's files vunerability, the difference being:
----------------------
a=GetObject("https://"+location.host+"/../../../../../../test.txt","htmlfile");
----------------------
It is funny that directory traversal on a http: URL leads to reading local files.
Workaround/Solution:
Disable Active Scripting and never turn it on.
Better, do not use IE in hostile environments such as the internet.
Vendor status:
Microsoft was notified on 11 December 2001.
They had 3 weeks to produce a patch but didn't.
News source: George Guninski - GetObject() problem, directory traversal on a http: URL (1st January 2002)
View: George Guninski - Original vunerability: GetObject() expose user's files (26th September 2000)
View: SecurityFocus Bugtraq notification: 3767 - IE GetObject File Disclosure Vulnerability (1st January 2002)
Additional Information:
New proof of concept code for the original GetObject() vulnerability can affect users who have already applied the Microsoft WSH supplied patch. The new code uses Base64 encoding embedded within the HTML, which effectively bypasses the security provided by the patch.
View Proof Of Concept Exploit: "htmlfile_FWE-exploit.htm", which affects WSH patched systems (Markus Kern)