search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Internet Explorer 7 DisableCachingOfSSLPages may not prevent caching

Vulnerability Note VU#468843

Original Release Date: 2008-05-09 | Last Revised: 2008-05-09

Overview

Setting the Internet Explorer 7 option DisableCachingOfSSLPages may not prevent the caching of SSL-enabled web pages.

Description

Administrators and users can set the Internet Explorer DisableCachingOfSSLPages option to prevent sensitive or private data from being saved to disk. The registry key for this setting is:

HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\DisableCachingOfSSLPages
After enabling this setting, Internet Explorer 7 may still cache SSL-enabled web pages to disk.

Impact

Private or sensitive data may be written to disk inadvertently.

Solution

We are currently unaware of a practical solution to this problem.

Secure deletion

Securely deleting or encrypting the Internet Explorer 7 browser cache (%userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low) that contains the sensitive information will mitigate this vulnerability.

Vendor Information

468843
 
Expand all

Microsoft Corporation Affected

Notified:  March 06, 2008 Updated: April 22, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Bill KNox from MITRE for reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: None
Severity Metric: 2.40
Date Public: 2008-05-09
Date First Published: 2008-05-09
Date Last Updated: 2008-05-09 18:17 UTC
Document Revision: 18

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis