Add to del.icio.us     Digg this

November 24, 2009

A critical security flaw in Microsoft's Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said.

The PDF documents display the exact internal disk location where the file is stored, an oversight that can inadvertently expose real-world names and login IDs of users, the operating system being used and other sensitive information. The data can then be retrieved using simple Google or Yahoo searches.

The potentially sensitive data is included in PDF documents that have been printed using Internet à Explorer. The full file path location is appended to its contents as soon as the Microsoft browser is used to print the document.

Although the data isn't always exposed when the document is viewed with Adobe Reader, it is easily readable when the file is opened in editors such as Notepad, and the text is also available to Google and other search engines, namely Yahoo.

The exact file path makes it very clear that it was stored on a Windows computer or server that has software from Worldwide Instructional Design System installed.

Other PDFs also provide directory names that reveal authors, projects or other specific data that may have been designated as confidential and sensitive.

If they have those kind of PDF documents, somebody can use Google to find out user names or do more reconnaissance on the operating systems used. That actually invades the privacy of a user.

Some Google searches can easily expose over 4 million documents residing on users' C drives alone.

Combined with searches for other common drives, the technique exposes more than 50 million files that can readily display the local disk path, according to Inferno, a security researcher for a large software company who asked that his real name not be used.

The only way to remove the file path is erase the text in an editor and re-save the PDF document.

So far, all versions of Internet Explorer suffer from this security hole. A Microsoft spokeswoman said company engineers are working to reproduce the reported behavior, however.

"We can confirm that this isn't a security vulnerability," she wrote in an email.

Add to del.icio.us     Digg this

Source: ISAI.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.