News

Vulnerability in Microsoft Internet Explorer Discovered

A vulnerability in Microsoft Internet Explorer has been discovered that could allow a malicious Web site operator, under certain circumstances, to read files on the computer of a user who visited the site.

Client-local data that is displayed in the browser can be made available to the server by using a redirect to a Javascript applet running in the same window. This bypasses cross-domain security and makes the data available to the applet, which could then send the data to a hostile server. This could allow a malicious Web site operator to read the contents of files on visiting users' computers. The vulnerability would not allow the malicious user to list the contents of the folders, create, modify or delete files, or to usurp any administrative control over the machine.

A patch is being developed by Microsoft to fix the vulnerability. Meanwhile, Microsoft recommends that Internet Explorer users add sites that they trust to the Trusted Zone in Internet Explorer, and disable Active Scripting in the Internet Zone, in order to work around the vulnerability. For more information on the vulnerability, check Microsoft's Security Bulletin FAQ.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Appoints Ex-GE Exec Its First COO Since 2016

    Microsoft has a new chief operating officer (COO), its first since Kevin Turner left the role -- and the company -- in 2016.

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft, Oracle Announce Updates to Joint Database IaaS Service

    The Oracle Database@Azure infrastructure-as-a-service offering from Oracle and Microsoft is getting new capabilities, including integrations with key Microsoft data and security services.

  • 2025 Support Cliffs Approaching for Exchange 2016, Dynamics 365 PSA

    Microsoft recently sounded the warning bell for two of its products, Exchange Server 2016 and Dynamics 365 Project Service Automation (PSA), both of which are set to reach end-of-support milestones next year.