CVE-1999-1110

Vulnerability

The Windows Media Player ActiveX control, included with Internet Explorer 5.0, returns a specific error code when attempting to load a non-existent file. This behavior allows a remote malicious website to determine the existence of files on the client machine. This vulnerability affects Internet Explorer 5.0 [1].

Exploitation

An attacker can host a malicious website that uses the Windows Media Player ActiveX control. By instructing the control to attempt to load a specific file path on the victim's client machine and observing the returned ErrorCode, the attacker can deduce whether the file exists or not. This requires the user to visit the attacker's website [1].

Impact

Successful exploitation allows a remote attacker to determine the existence of arbitrary files on the client's file system. This information can be used to infer user names, system configurations, and potentially discover sensitive files, although direct access to file contents is not provided [1].

Mitigation

No specific patch or fixed version information is available in the provided references. Users are advised to exercise caution when visiting untrusted websites. It is recommended to disable or remove the Windows Media Player ActiveX control if not essential for browsing [1].