Internet Explorer security hole leaks private information from PDF files
November 24, 2009
A critical security flaw in Microsoft's Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said.
The PDF documents display the exact internal disk location where the file is stored, an oversight that can inadvertently expose real-world names and login IDs of users, the operating system being used and other sensitive information. The data can then be retrieved using simple Google or Yahoo searches.
The potentially sensitive data is included in PDF documents that have been printed using Internet à Explorer. The full file path location is appended to its contents as soon as the Microsoft browser is used to print the document.
Although the data isn't always exposed when the document is viewed with Adobe Reader, it is easily readable when the file is opened in editors such as Notepad, and the text is also available to Google and other search engines, namely Yahoo.
The exact file path makes it very clear that it was stored on a Windows computer or server that has software from Worldwide Instructional Design System installed.
Other PDFs also provide directory names that reveal authors, projects or other specific data that may have been designated as confidential and sensitive.
If they have those kind of PDF documents, somebody can use Google to find out user names or do more reconnaissance on the operating systems used. That actually invades the privacy of a user.
Some Google searches can easily expose over 4 million documents residing on users' C drives alone.
Combined with searches for other common drives, the technique exposes more than 50 million files that can readily display the local disk path, according to Inferno, a security researcher for a large software company who asked that his real name not be used.
The only way to remove the file path is erase the text in an editor and re-save the PDF document.
So far, all versions of Internet Explorer suffer from this security hole. A Microsoft spokeswoman said company engineers are working to reproduce the reported behavior, however.
"We can confirm that this isn't a security vulnerability," she wrote in an email.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing