Critical IE security issues to be detailed at Black Hat DC 2010

At the Black Hat DC 2010 conference Core SCS Security Consultant Jorge Luis Alvarez Medina will demonstrate cutting-edge browser manipulation techniques that can allow for remote exploitation of devices running Microsoft’s ubiquitous Internet Explorer web browser in his talk: “Internet Explorer Turns Your Personal Computer into a Public File Server.”

Alvarez Medina will specifically highlight how an attacker may be able to gain access to every file on a Windows PC file system running Internet Explorer using the methods discovered during his research. The involved attack leverages not a traditional software security vulnerability, but instead legitimate design features of IE that may be considered minor points of risk on their own, but can be combined to carry out dangerous attacks.

The expert will also disclose and demonstrate proof-of-concept code developed for the scenarios being proposed. Core Security is working closely with Microsoft to ensure that the vendors’ millions of customers remain protected from potential threats targeting the reported issues.

“This is an interesting form of exploitation specifically in that it does not utilize traditional security flaws to run its course but instead targets legitimate features purposely built into IE for many years,” said Alvarez Medina. “Microsoft has attempted to address these types of problems in IE in the past but their response has not prevented someone from targeting these sorts of issues to gain access to data that resides on machines running their browser.”

With the recent disclosure of the IE zero day vulnerability that was used to carry out targeted attacks against some of the world’s largest technology companies, interest in browser flaws – particularly those affecting IE – has arguably never been greater.