Vigil@nce - Windows, IE: information disclosure via Microsoft XML Core Services
February 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use Microsoft XML Core Services of Windows, via
IE, in order to obtain sensitive information from another site, or
to read a victim’s file.
Impacted products: IE, Windows 2003, Windows 2008, Microsoft
Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista,
Windows XP
Severity: 2/4
Creation date: 11/02/2014
DESCRIPTION OF THE VULNERABILITY
The Microsoft XML Core Services (MSXML) library is used by
Microsoft applications which process XML data.
However, an attacker can bypass access restrictions to data of a
domain.
An attacker can therefore use Microsoft XML Core Services of
Windows, via IE, in order to obtain sensitive information from
another site, or to read a victim’s file.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN