A security consultant on Wednesday provided a live demonstration at the Black Hat DC conference that immediately prompted a security advisory from Microsoft. Jorge Luis Alvarez Medina, the Argentina-based security consultant with Core Security Technologies, showed attendees that it was possible to use an exploit found in Internet Explorer to remotely read files on a victim's local drive.
Medina said that the security flaw extends across all versions of Internet Explorer, and cannot be fixed with a simple patch. Microsoft countered and said that consumers can work around the problem by running Internet Explorer in “protected mode.” Still, that doesn't ultimately solve the problem--many unaware Internet Explorer users will be exposed to the Internet like an at-home FTP offering free, anonymous downloads.
According to Computerworld, Medina offered other workarounds including an IE Network Protocol Lockdown. This is achieved by cranking up the Internet and Intranet Zones to "high," and disabling Active Scripting for both zones. He also suggested that users switch to different browsers when navigating to untrusted Websites.
According to Microsoft, the FTP-style vulnerability affects consumers using Windows XP and those who have disabled Internet Explorer Protected Mode. "The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites," the company said.
Given the security issues that has faced Microsoft's Internet browser over the years, surfers should switch to rival software such as Mozilla's Firefox and Google's Chrome. On that note, it's really hard to believe that Internet Explorer 8 is the world's most popular Internet browser. Doh.