CVE-2014-1777

Vulnerability

Internet Explorer 10 and 11 contain an information disclosure vulnerability that allows a remote attacker to read local files on the client system. The vulnerability exists in the way IE handles certain web content, and can be triggered without any special configuration beyond browsing to a malicious website. The affected versions are Internet Explorer 10 and 11 on all supported Windows clients and servers.

Exploitation

An attacker can host a specially crafted website that, when visited by a victim using Internet Explorer 10 or 11, exploits the vulnerability. The attacker does not need any authentication or prior access to the victim's system. User interaction is required only in the form of browsing to the malicious site. The attack does not require any special privileges on the client.

Impact

Successful exploitation allows the attacker to read arbitrary local files on the victim's system, leading to information disclosure of sensitive data. The attacker gains no code execution or elevated privileges, but can access files that the current user can read. This could include documents, configuration files, or other data.

Mitigation

Microsoft released security update MS14-035 in June 2014, which addresses this vulnerability by modifying how Internet Explorer handles permissions for local file access [1]. The update is available via Windows Update. Customers running IE 10 or 11 should apply the update. No other workarounds are documented.