Reported October 18, 2000 by Georgi Guninski

VERSIONS AFFECTED
  • Microsoft Internet Explorer 5.5
  • Microsoft Outlook Express
  • Microsoft Outlook 

DESCRIPTION

Georgi Guninski has discovered yet another security issue with Internet Explorer 5.5, Outlook, and Outlook Express.  The vulnerability could allow a malicious attacker to read local files, arbitrary URL's, and local directory structure.

The problem lies in specifying an arbitrary codebase for an applet loaded from the tag and a jar file.  Applets may read URL's from their codebase and communcate with hosts from the codebase.

DEMONSTRATION

The following code was made available by Georgi Guninski in his advisory availalble at;  http://www.guninski.com/javacodebase1.html

---------javacodebase1.html----------------




-------------------------------------------

--------gjavacodebase.java----------------
......
try
\{
u = new URL(getParameter("URL"));
InputStream is=u.openStream();
byte ba\[\]=new byte\[1000\];
int l=is.read(ba);
InputStream os=u.openConnection().getInputStream();
String s1=new String(ba,0,l);
print(u.toString());
print(s1);
\}
.......

---------------------------------------------------------------------

 

VENDOR RESPONSE

Microsoft has been notified of this vulnerability but no patch has been issued.  Until a patch is available it is recommended to disable Java.

CREDIT
Discovered by
Georgi Guninskih