Microsoft has recently released Microsoft Security Bulletin MS00-046, in which they announced a patch for the "Cache Bypass" vulnerability. By exploiting this vulnerability, an attacker can use an HTML-formatted message to read certain types of files on the victim's machine.
In addition, because this vulnerability also allows the attacker to store files on the victim's machine, it can be used in conjunction with existing vulnerabilities to execute arbitrary code on the target system.
"Cache Bypass" Vulnerability
When exploited, this vulnerability allows an attacker to store an HTML file in an area that is not protected by the policies of the "Internet Zone." This file may then be used to open arbitrary files on the victim's machine and send their contents back to the attacker.
Microsoft has released Microsoft Security Bulletin MS00-046, which points to a patch for this vulnerability. We strongly encourage you to read this bulletin and apply the patch. MS00-046 is available at
The CERT Coordination Center thanks Microsoft for their assistance in developing this document.
This document was written by Jeffrey P Lanza.