MS IE URI Redirection Information Disclosure

February 4, 2010

Windows Internet Explorer (formerly Microsoft Internet Explorer) is one of the most widely used web browsers. The browser is capable of processing HTML, images, scripting languages, and various other popular Internet specifications.

URI schemes are one of the specifications that are supported by Internet Explorer. IE uses the URI schemes to access resources on the specified paths. These URI schemes include http://, ftp://, mailto:, file://, and so on. For example, the following scheme can be referred in any webpage.


The file:// URI scheme is typically used to retrieve files from one's own computer. This scheme, unlike many other URL schemes, does not designate a resource that is universally accessible over the Internet. It has the following format:


Where could be the following hierarchical directory:


Besides the specifications, Internet Explorer has embedded numerous security policies which are meant to prevent malicious actions from being attempted by rendered resources. One of the enforced policies found in popular browsers is the inability of cross site scripting (XSS). This is enforced specifically to prevent one site from accessing potentially sensitive information from other started sessions which may contain, among other things, authentication information. Furthermore, Internet Explorer groups websites into security zones with different access privileges. For instance, the Intranet zone websites have higher privileges than the Internet zone ones by default.

There is a security bypass vulnerability found in Microsoft Internet Explorer that could result in information disclosure as well as rendering of arbitrary files on the system as HTML content. Specifically, the vulnerability is due to improper processing of the file:// URI scheme during the web page redirection process. The vulnerable code does not properly validate the security zone before accessing the local files on the target client. If an attacker can predict the correct filename and path, it is possible for the attacker to access arbitrary files via a crafted web page.

SonicWALL UTM team has researched this vulnerability and released an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following IPS signature has been released:

  • 3104 MS IE URI Redirection Security Bypass Attempt

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0255.