Intrusion Prevention

MS.IE.MHTML.Cross.Domain.Information.Disclosure

Description

Microsoft Internet Explorer has a cross-domain information disclosure vulnerability. A remote attacker could bypass security restrictions and gain knowledge of sensitive information via a specially-crafted web page with "mhtml:" URL redirections.

Affected Products

Microsoft Internet Explorer 7 for Microsoft Windows XP Service Pack 2
Microsoft Internet Explorer 7 for Microsoft Windows XP Professional x64 Edition
Microsoft Internet Explorer 7 for Microsoft Windows Server 2003
Microsoft Internet Explorer 7 for Microsoft Windows Server 2003 Service Pack 1
Microsoft Internet Explorer 7 for Microsoft Windows Server 2003 (Itanium)
Microsoft Internet Explorer 7 for Microsoft Windows Server 2003 SP1 (Itanium)
Microsoft Internet Explorer 7 for Microsoft Windows Server 2003 x64 Edition
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 SP1 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
Microsoft Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition
Microsoft Outlook Express 5.5
Microsoft Outlook Express 6

Impact

Information disclosure.

Recommended Actions

Disable Active Scripting in the Internet and Local intranet security zones :
- In Internet Explorer, click Internet Options on the Tools menu
- Click the Security tab
- Click Internet, and then click Custom Level
- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK
- Click Local intranet, and then click Custom Level
- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK
- If you are prompted to confirm that you want to change these settings, click Yes
- Click OK to return to Internet Explorer
Note : Disabling Active Scripting may cause some Web sites to work incorrectly.
Currently we are not aware of any vendor-supplied patches for this issue.
http://www.microsoft.com

CVE References

CVE-2006-2111