J-Security Center

Title: Microsoft Internet Explorer 5.5 Index.dat Vulnerability

Severity: HIGH

Description:

IE 5.5 (and possibly other versions) stores recently visited URLs and cache folder names in a local file called index.dat. This file is kept in the following known locations:

Windows 9x:
C:/WINDOWS/Temporary Internet Files/Content.IE5/

Windows 2000:
C:/Documents and Settings/USERNAME/Local Settings/Temporary Internet Files/Content.IE5/

This file will register as local content in IE's security mechanism, but arbitrary code can be written to it by including scripting commands in a URL. Therefore, although the code may not execute when the URL itself it visited, it will be trusted in the local index.dat file. To execute code in that file, it must be parsed by IE. Microsoft has released a security bulletin about parsing non-html files (see Microsoft Security Bulletin MS00-055 in the credit section), however it is still possible to force IE to render non-html files via an object tag defining the TYPE as text/html and specifying the file in the DATA field.

Therefore, remote code can be injected into a trusted file and successfully executed. This vulnerability can be used for many purposes, including determining the names of the cache folders. With that information, an attacker could cause the target to execute files previously downloaded by the victim.

Affected Products:

  • Microsoft Internet Explorer 5.5
  • Microsoft Windows ME

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.