Microsoft has issued Security Advisory (980088) to address a publicly disclosed vulnerability in Internet Explorer that may allow information disclosure for Windows XP users or for users who have disabled Internet Explorer Protected Mode. The advisory explains that content can be forced to render incorrectly from local files in such a way that information can be exposed to malicious websites.

The vulnerability was discussed in depth at this week's Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies who revealed the issue a day after Microsoft released an out-of-band security bulletin for the browser. Here's the official description of the briefing: "In this presentation we will show how an attacker can read every file of your filesystem if you are using Internet Explorer. This attack leverages different design features of Internet Explorer entailing security risks that, while low if considered isolated, lead to interesting attack vectors when combined altogether. We will also disclose and demonstrate proof of concept code developed for the scenarios proposed."

Users running a version of Internet Explorer that does not have Protected Mode, or users who have decided to disable Protected Mode, are exposed to an attacker who can access files with an already known filename and location. Versions affected include Internet Explorer 5.01 and IE6 SP1 on Windows 2000 SP4, as well as IE6, IE7, and IE8 on supported editions of Windows XP and Windows Server 2003. Microsoft made sure to note that Protected Mode prevents exploitation of this vulnerability and is running by default for IE7 and IE8 on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Redmond also underlined that it is currently unaware of any attacks trying to use the vulnerability and is actively monitoring the situation and may provide a security update on an upcoming Patch Tuesday or an out-of-cycle patch once it is ready. The next Patch Tuesday is scheduled for February 9, 2009, but we're not likely to see a patch out that soon. As always, Microsoft is recommending users upgrade to IE8 (the company urged users to upgrade away from IE6 and XP after hacks affecting IE6 last month).

In the meantime, the software giant listed five mitigating factors for the vulnerability:

Protected Mode in IE7/IE8 on Windows Vista and later limits the impact of the vulnerability.

In a Web-based attack scenario, an attacker could host a webpage that is used to exploit this vulnerability or do so via a webpage that accepts or hosts user-provided content or advertisements. In all cases, however, an attacker would have no way to force users to visit these websites and would have to convince them to do so, which is typically achieved via an e-mail or instant message.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High and so is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.

By default, all supported versions of Outlook, Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which should mitigate attacks trying to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Microsoft outlined three workarounds in the security advisory. The first is to modify Internet Explorer's settings: set the Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones. The second suggests configuring Internet Explorer to prompt before running Active Scripting or disabling Active Scripting completely in the Internet and local intranet security zone. The third one is to enable Internet Explorer Network Protocol Lockdown for Windows XP. It requires editing the Windows registry, but thankfully Microsoft has created a "Fix it for me" for this workaround, available at KB 980088. Just click the "Fix this problem" link and you're good to go. The Fix It automates Network Protocol Lockdown and can be run on individual systems and deployed by enterprises through their automated systems.