Software Engineering Institute

By design, Microsoft Internet Explorer prevents programs on web sites from reading files on your computer without authorization. Likewise, by design, Microsoft Outlook and Outlook Express prevent programs embedded in mail messages from reading files on your computer without authorization. One type of program that can be embedded in a web page or mail message is a script written in VBScript. According to the Microsoft VBScript FAQ, "VBScript is intended to be a safe subset of the language, it does not include file I/O or direct access to the underlying operating system. " This restriction on VBScript is intended to allow VBScript programs to operate safely even without strong authentication.

Unfortunately, a flaw in the behavior of the GetObject call in VBScript permits access to files despite the putative restrictions on the VBScript language intself. Specifically, the GetObject call returns a reference to an automation object. Automation objects can be controlled through programmatic interfaces and accessed through well defined properties. The programmatic interface and set of properties are determined by the class of the object. The class of the object is specified in the GetObject call itslef. The call has the following syntax:

GetObject([pathname] [, class])

The pathname paramter is a reference to a file containing the object of interest.

One class is htmlfile. This class indicates the object should be interpreted as an HTML file. One of the properties of an htmlfile object is its Document Object Model, or DOM. A DOM is a model of a document in a web browser that allows programmatic access to the various parts of a document, such as titles, lists of links, or the text of the body.

When the GetObject calls references a file on the local disk and specifies htmlfile as the class, the DOM of that file is subsequently available to VBScript programs (again, despite the restrictive language specification). A malicious VBScript can then return the contents of the document (accessed through the DOM) back to the web site, forward it through electronic mail, or otherwise disclose it.

Malicious web sites or email messages can read files that should be protected.

Until and unless a patch can be developed, we recommend disabling Active Scripting in Internet Explorer in any zone with untrusted hosts. Additionally, we recommend configuring Outlook using the guidelines found in http://www.microsoft.com/office/outlook/downloads/security.htm. Other products (including third-party products) that respect Internet Explorer security zones should be configured to run VBScript only in trusted zones.