Microsoft Internet Explorer IFRAME Loading Information Disclosure Vulnerability

Bugtraq ID:	51065
Class:	Access Validation Error
CVE:	CVE-2011-4689
Remote:	Yes
Local:	No
Published:	Dec 14 2011 12:00AM
Updated:	Dec 14 2011 12:00AM
Credit:	Edward W. Felten and Michael A. Schneider
Vulnerable:	Microsoft Internet Explorer 7.0.5730 .11 Microsoft Internet Explorer 9 Microsoft Internet Explorer 8.0.7600.16385 Microsoft Internet Explorer 8 RC1 + Microsoft Windows 7 beta Microsoft Internet Explorer 8 beta 2 Microsoft Internet Explorer 8 Beta 1 Microsoft Internet Explorer 8 Microsoft Internet Explorer 7.0 beta3 Microsoft Internet Explorer 7.0 beta2 Microsoft Internet Explorer 7.0 beta1 Microsoft Internet Explorer 7.0 + Microsoft Windows Server 2003 SP2 + Microsoft Windows Server 2003 Itanium SP2 + Microsoft Windows Server 2003 x64 SP2 + Microsoft Windows Server 2008 for 32-bit Systems SP2 + Microsoft Windows Server 2008 for 32-bit Systems 0 + Microsoft Windows Server 2008 for Itanium-based Systems SP2 + Microsoft Windows Server 2008 for Itanium-based Systems 0 + Microsoft Windows Server 2008 for x64-based Systems SP2 + Microsoft Windows Server 2008 for x64-based Systems 0 + Microsoft Windows Vista Ultimate + Microsoft Windows Vista Ultimate + Microsoft Windows Vista Ultimate + Microsoft Windows Vista Ultimate + Microsoft Windows Vista SP2 + Microsoft Windows Vista SP1 + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista x64 Edition SP2 + Microsoft Windows Vista x64 Edition SP1 + Microsoft Windows Vista x64 Edition 0 + Microsoft Windows XP Embedded SP3 + Microsoft Windows XP Home SP3 + Microsoft Windows XP Media Center Edition SP3 + Microsoft Windows XP Professional SP3 + Microsoft Windows XP Professional x64 Edition SP2 + Microsoft Windows XP Tablet PC Edition SP3 Microsoft Internet Explorer 7.0 Microsoft Internet Explorer 6.0 SP3 Microsoft Internet Explorer 6.0 SP2 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server - Microsoft Windows 2000 Server - Microsoft Windows 2000 Server - Microsoft Windows 2000 Terminal Services SP2 - Microsoft Windows 2000 Terminal Services SP2 - Microsoft Windows 2000 Terminal Services SP2 - Microsoft Windows 2000 Terminal Services SP1 - Microsoft Windows 2000 Terminal Services SP1 - Microsoft Windows 2000 Terminal Services SP1 - Microsoft Windows 2000 Terminal Services - Microsoft Windows 2000 Terminal Services - Microsoft Windows 2000 Terminal Services - Microsoft Windows 98 - Microsoft Windows 98 - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows 98SE - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows ME - Microsoft Windows ME - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Terminal Server 4.0 SP6a - Microsoft Windows NT Terminal Server 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6a + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows XP Home + Microsoft Windows XP Home + Microsoft Windows XP Home + Microsoft Windows XP Professional + Microsoft Windows XP Professional + Microsoft Windows XP Professional
Not Vulnerable:

Microsoft Internet Explorer IFRAME Loading Information Disclosure Vulnerability

Microsoft Internet Explorer is prone to an information-disclosure vulnerability.

An attacker can exploit this issue by tricking an unsuspecting victim into viewing a page containing malicious content.

Successful exploits will allow attackers to enumerate documents in the browser cache. Information obtained may aid in further attacks.

Microsoft Internet Explorer IFRAME Loading Information Disclosure Vulnerability

An attacker can exploit this issue by enticing an unsuspecting user to visit a crafted site.

Microsoft Internet Explorer IFRAME Loading Information Disclosure Vulnerability

Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of any more recent information, please mail us at: [email protected].

Microsoft Internet Explorer IFRAME Loading Information Disclosure Vulnerability

References:

• Internet Explorer Homepage (Microsoft)
  
• Rapid history extraction through non-destructive cache timing (v8) (Michal Zalewski)
  
• Timing Attacks on Web Privacy Timing Attacks on Web Privacy (Edward W. Felten and Michael A. Schneider)