IE bug history

• New Internet Explorer zero-day exploited in the wild https://www.itnews.com.au/news/new-internet-explorer-zero-day-exploited-in-the-wild-536672
  Microsoft's Internet Explorer zero-day workaround is breaking printing https://www.grahamcluley.com/microsofts-internet-explorer-zero-day-workaround-is-breaking-printers/
• [0day] Internet Explorer: Execute arbitrary code/commands - Remote with user interaction https://www.auscert.org.au/bulletins/ASB-2019.0272.2/ https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1367 https://www.zdnet.com/article/microsoft-releases-out-of-band-security-update-to-fix-ie-zero-day-defender-bug/
• Microsoft Internet Explorer v11 / XML External Entity Injection 0day http://seclists.org/fulldisclosure/2019/Apr/20
• Unpatched Zero-Days in Microsoft Edge and IE Browsers Disclosed Publicly http://thehackernews.com/2019/03/microsoft-edge-ie-zero-days.html
• New IE 0-day in the wild http://isc.sans.edu/forums/diary/23581
• Microsoft (Win 10) InternetExplorer v11.371.16299.0 - Denial Of Service http://seclists.org/fulldisclosure/2018/Apr/42
• SOP bypass / UXSS - Stealing Credentials Pretty Fast (Edge) http://www.brokenbrowser.com/sop-bypass-uxss-stealing-credentials-pretty-fast/
• Unpatched Microsoft Edge and IE Bug http://isc.sans.edu/forums/diary/22115
  Microsoft Edge and IE: Type confusion in HandleColumnBreakOnColumnSpanningElement https://bugs.chromium.org/p/project-zero/issues/detail?id=1011
• MSIE 9 MSHTML CPtsTextParaclient::CountApes out-of-bounds read http://seclists.org/fulldisclosure/2016/Nov/20
• Edge XSS filter bypass http://blog.portswigger.net/2016/04/edge-xss-filter-bypass.html
• The "localhosed" attack - stealing IE local machine cookies and exposing its internal IP address http://www.securityfocus.com/archive/1/535812
• Major Internet Explorer Vulnerability - NOT Patched http://seclists.org/fulldisclosure/2015/Feb/0
  • Vulnerability in Internet Explorer http://www.sans.org/newsletters/newsbites/xvii/10#307
  • Analysis on Internet Explorer's UXSS http://innerht.ml/blog/ie-uxss.html
  • Universal Cross-site Scripting Zero-day Vulnerability Disclosed Affecting IE 10 and 11 http://www.sans.org/newsletters/at-risk/xv/6#notable2
    ... was not patched in [Feb2015] round of security updates.
• (0Day) Microsoft Internet Explorer display:run-in Use-After-Free Remote Code Execution Vulnerability http://auscert.org.au/21346
• New, Unpatched IE 0 Day published at ZDI http://isc.sans.edu/forums/diary/18151
  (0Day) Microsoft Internet Explorer CMarkup Use-After-Free Remote Code Execution Vulnerability http://zerodayinitiative.com/advisories/ZDI-14-140/
  Microsoft Will Not Fix IE 8 Flaw http://www.sans.org/newsletters/newsbites/xvi/41#301
• FireEye reports IE 10 zero-day being used in watering hole attack http://isc.sans.edu/forums/diary/17642
  Attack Infecting IE10 Users Through Drive-by Download http://www.sans.org/newsletters/newsbites/xvi/13#302
  Microsoft Security Advisory (2934088) Vulnerability in Internet Explorer Could Allow Remote Code Execution http://technet.microsoft.com/security/advisory/2934088
• IE Zero-Day Vulnerability Exploiting msvcrt.dll http://isc.sans.edu/forums/diary/16985
  New IE Zero-Day found in Watering Hole Attack http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html
• Information disclosure (mouse tracking) vulnerability in Microsoft Internet Explorer versions http://www.securityfocus.com/archive/1/525012
  Update to Alleged Information and Security Issue with Mouse Position Behavior http://blogs.msdn.com/b/ie/archive/2012/12/13/update-to-alleged-information-and-security-issue-with-mouse-position-behavior.aspx
  Responsible Disclosure ... Two clarifications http://spider.io/blog/2012/12/responsible-disclosure/
• IE8 xss filter breaked http://lists.grok.org.uk/pipermail/full-disclosure/2012-October/088725.html
• Internet Explorer 9 XSS Filter Bypass http://www.securityfocus.com/archive/1/524460
• IE Zero Day is "For Real" http://isc.sans.edu/forums/diary/14107
• Flash Not Patched in Windows 8 With IE10 http://www.sans.org/newsletters/newsbites/xiv/72#302
• IE handling the HTML notes incorrectly may lead to XSS attacks http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082164.html http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082171.html
• Security researcher finds 'cookiejacking' risk in IE http://news.cnet.com/8301-1009_3-20066419-83.html
  Unpatched IE bug exposes sensitive Facebook creds http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/
  Microsoft Internet Explorer Cross Zone Local Cookie File Access Security Bypass Vulnerability http://www.securityfocus.com/bid/47989
• IE9 Address Bar Spoof http://lists.grok.org.uk/pipermail/full-disclosure/2011-March/079665.html
• Microsoft Internet Explorer CSS Parsing Remote Memory Corruption Vulnerability http://www.securityfocus.com/bid/45246
• Researchers Circumvent IE Protected Mode http://www.sans.org/newsletters/newsbites/xii/96#302
• Internet Explorer 8 PoC: window.onerror leak leads to surge in interest in goat farming? http://lists.grok.org.uk/pipermail/full-disclosure/2010-October/077041.html
• A Loophole Big Enough for a Cookie to Fit Through http://bits.blogs.nytimes.com/2010/09/17/a-loophole-big-enough-for-a-cookie-to-fit-through/
• Internet Explorer 8 PoC: Twitter forced-tweet demo http://lists.grok.org.uk/pipermail/full-disclosure/2010-September/076353.html
• wp-10-0001: Multiple Browser Wildcard Cerficate Validation Weakness http://www.securityfocus.com/archive/1/513396
• IE8 toStaticHtml Bypass http://lists.grok.org.uk/pipermail/full-disclosure/2010-August/076018.html
  Microsoft Anti-Cross Site Scripting Library Bypass http://lists.grok.org.uk/pipermail/full-disclosure/2010-August/076019.html
• [0day] Microsoft mshtml.dll CTimeoutEventList::InsertIntoTimeoutList memory leak http://www.securityfocus.com/archive/1/512091
• New Twist on Phishing Targets Open Browser Tabs http://www.sans.org/newsletters/newsbites/xii/42#305
• Arbitrary UNC file read in IE 8 http://www.securityfocus.com/archive/1/511449
• Microsoft Working on Third Fix for Cross-Site Scripting Filter (April 20 & 21, 2010) http://www.sans.org/newsletters/newsbites/xii/32#301
  Abusing Internet Explorer 8's XSS Filters http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf
• IE8 img tag HiJacking http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074181.html
• WinXP IE .HLP file 0day http://lists.grok.org.uk/pipermail/full-disclosure/2010-February/073317.html
• IE address bar characters into a small feature http://www.securityfocus.com/archive/1/509557
• CORE-2009-0625: Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities http://lists.grok.org.uk/pipermail/full-disclosure/2010-February/072877.html
  Attack on IE Exposes Users' Entire System Drives http://www.sans.org/newsletters/newsbites/xii/8#305
  Internet Explorer turns your personal computer into a public file server http://www.blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#AlvarezMedina
• Code to mitigate IE STYLE zero-day http://www.securityfocus.com/archive/1/508006
• null-prefix certificate for paypal http://lists.grok.org.uk/pipermail/full-disclosure/2009-October/071042.html
  IE, Chrome, Safari duped by bogus PayPal SSL cert http://www.theregister.co.uk/2009/10/05/fraudulent_paypay_certificate_published/
• Internet Explorer URL Path Spoofing Vulnerability http://secunia.com/advisories/36334
• Exploiting IE8 UTF-7 XSS Vulnerability using Local Redirection http://www.securityfocus.com/archive/1/503440
• Microsoft Internet Explorer 8 - Anti Spoofing is a Myth http://www.securityfocus.com/archive/1/502329
• Researcher hacks just-launched IE8 http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Security&articleId=9130074&taxonomyId=17&pageNumber=1
  http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits http://dvlabs.tippingpoint.com/blog/2009/03/20/pwn2own-day-2
  Released build of Internet Explorer 8 blocks Dowd/Sotirov ASLR+DEP .NET bypass http://blogs.technet.com/srd/archive/2009/03/23/released-build-of-internet-explorer-8-blocks-dowd-sotirov-aslr-dep-net-bypass.aspx
• Microsoft Internet Explorer 'Scripting.FileSystem' Security Bypass Vulnerability http://www.securityfocus.com/bid/32868
• The Extended HTML Form attack revisited http://lists.grok.org.uk/pipermail/full-disclosure/2008-June/062836.html
• Internet Explorer "Print Table of Links" Cross-Zone Scripting http://secunia.com/advisories/30141/
• Microsoft Internet Explorer Header Handling 'res://' Information Disclosure Vulnerability http://www.securityfocus.com/bid/28667
• Microsoft Internet Explorer 'ieframe.dll' Script Injection Vulnerability http://www.securityfocus.com/bid/28581
• IE leaks data [FTP passwords] http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/056143.html
• MSIE7 entrapment again (+ FF tidbit) http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/055583.html
• Assorted browser vulnerabilities http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/054659.html
• IE 7 and Firefox Browsers Digest Authentication Request Splitting http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053988.html
• Phishing using IE7 local resource vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/052973.html http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/052998.html
• Stealing Browser History Without Using JavaScript http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052729.html
• Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052656.html
• MSIE7 browser entrapment vulnerability (probably Firefox, too) http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052631.html
• Your home page is assigned to the incorrect security zone if Internet Explorer uses a proxy auto-configuration (.pac) file to specify proxy settings http://support.microsoft.com/kb/884430
• IE7 website security certificate discrediting exploit http://www.securityfocus.com/archive/1/450722 http://www.securityfocus.com/archive/1/450825
• Internet Explorer 7 Popup Address Bar Spoofing Weakness http://secunia.com/advisories/22542/
• Browser Bug of the Month Club http://isc.sans.edu/forums/diary/1459
  http://browserfun.blogspot.com/
• Bypassing of web filters by using ASCII http://www.securityfocus.com/archive/1/437948
  Funny: IE is "right", but the AV do not know...
• file upload widgets in IE and Firefox have issues http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046610.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046699.html
  Firefox/MSIE focus stealing vulnerability - clarification http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052352.html
• Write-up by Amit Klein: "IE + some popular forward proxy servers = XSS, defacement (browser cache poisoning)" or "Exploiting the XmlHttpRequest object in IE" part II http://www.securityfocus.com/archive/1/434931
  Web 2.0 backdoors made easy with MSIE & XMLHttpRequest http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052189.html
  Seems fixed in IE7.
• Microsoft Internet Explorer Content-Disposition HTML File Handling Flaw http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/044991.html
  GMail, Google Groups XSS Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/045069.html
• Internet Explorer drag&drop 0day http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042145.html
  Internet Explorer Drag and Drop Redeux [CVE-2005-3240] http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042163.html http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060213/625fc0d2/attachment.txt
  Not yet fixed in ms06-021.
• Exploiting the XmlHttpRequest object in IE - paper by Amit Klein http://www.securityfocus.com/archive/1/411585 http://www.securityfocus.com/archive/1/411823
• [scip_Advisory 1746] Microsoft Internet Explorer 6.0 embedded content cross site scripting http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/037332.html
• NUL Character Evasion http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/037140.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/037183.html
• SEC-CONSULT SA-20050629-0: IE6 javaprxy.dll COM instantiation heap corruption vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034746.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034748.html
  Microsoft Security Advisory (903144) A COM Object (javaprxy.dll) Could Cause Internet Explorer to Unexpectedly Exit http://www.microsoft.com/technet/security/advisory/903144.mspx
  • Apparently fixed in (superseded by) ms05-037. That fixes the javaprxy.dll instance. There are other exploitable COM objects:
    NSFOCUS SA2005-02 : Microsoft IE Devenum.dll COM Instantiation Remote Code Execution Vulnerability http://www.securityfocus.com/archive/1/407777
  • Apparently fixed in (superseded by) ms05-038. Still, IE handling of such things is not fixed: only a few more "known bad" COM objects were "fixed" (adding "kill bit"). There are more, see e.g.
    COM objects and MSIE vulnerabilities recap + additional fix http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/036232.html
    Microsoft Security Advisory (906267) A COM Object (Msdds.dll) Could Cause Internet Explorer to Unexpectedly Exit http://www.microsoft.com/technet/security/advisory/906267.mspx
    Microsoft Internet Explorer can use any COM object http://www.kb.cert.org/vuls/id/680526
  • Apparently fixed in (superseded by) ms05-052, which sets many more "kill bit"s, and also introduces additional checks before a COM object is allowed to run; but is still not fixed, yet more "kill bit"s set in ms05-054 (which also fixes the kill bit mechanism!); yet more "kill bit"s in ms06-013, ms06-021 and ms06-042.
  • And there are more:
    Multiple COM objects cause memory corruption in Microsoft Internet Explorer http://www.kb.cert.org/vuls/id/959049
    http://www.xsec.org/
    [0day] daxctle2.c - Internet Explorer COM Object Heap Overflow Download Exec Exploit http://www.securityfocus.com/archive/1/445898
    IE ActiveX 0day? http://www.securityfocus.com/archive/1/446085
    MS Windows DRM software Memory Corruption http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049923.html
    This last one not fixed for over a year, and seen to allow execute-any-code:
    Microsoft Windows Media Digital Rights Management ActiveX Control Buffer Overflow Vulnerability http://www.securityfocus.com/bid/26630
  • The "daxctle" ones above apparently fixed in ms06-067 with more "kill bit"s.
  • IE7 has an ActiveX Opt-in feature, providing a modicum of protection. But note that users who "have enabled these COM objects in previous versions of IE will have them enabled in IE7"; and anyway many "useful" controls are left enabled by default.
  • Yet more "kill bit"s in ms07-016 and (even for IE7, without ActiveX Opt-in mitigation) in ms07-027, and apparently in every IE update e.g. in ms07-033 ms07-045 ms07-057 ms07-069 ms08-010 and in some MSOffice updates e.g. in ms08-017 and of course in ms08-023 ms08-032 .
  • Yet more "kill bit"s e.g. in ms09-055 ms10-008 .
• Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability http://secunia.com/advisories/15491/
  Microsoft Security Advisory (902333): Browser Windows Without Indications of Their Origin may be Used in Phishing Attempts http://www.microsoft.com/technet/security/advisory/902333.mspx
• Microsoft Outlook Express Attachment Processing File Extension Obfuscation Vulnerability http://www.securityfocus.com/bid/13837
  Microsoft Windows - Filesystem bug allows various things http://archives.neohapsis.com/archives/ntbugtraq/2005-q2/0099.html
• Multi browser sensitive information disclosure http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032215.html
• Possible XSS issue on Windows XPSP2 IE6 via MIME Encapsulation of Aggregate HTML http://lists.grok.org.uk/pipermail/full-disclosure/2005-February/032058.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-February/032074.html http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032092.html
• IObjectSafety and Internet Explorer http://www.securityfocus.com/archive/1/391803
• WindowsXPSP2 script-initiated popup window titlebar spoofing http://lists.grok.org.uk/pipermail/full-disclosure/2005-February/031876.html
• IE/OE Restricted Zone Status Bar Spoofing http://lists.grok.org.uk/pipermail/full-disclosure/2005-February/031773.html
• SAME LADY, DIFFERENT HAT: REELY http://www.securityfocus.com/archive/1/389023
• Internet Explorer URL obfuscation. http://www.securityfocus.com/archive/1/388004 http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/031105.html
• Internet Explorer (SP2) - Remote File Download Information Bar Bypass http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030896.html
• 7a69Adv#17 - Internet Explorer FTP download path disclosure http://www.securityfocus.com/archive/1/385882
• Internet Explorer FTP client can be used to send mail http://lists.grok.org.uk/pipermail/full-disclosure/2004-December/030229.html
• MSIE DHTML Edit Control Cross Site Scripting Vulnerability http://www.securityfocus.com/archive/1/384518
• Address Bar Spoophing for the Pheeshies: IntotheNet Explorer 6 http://lists.grok.org.uk/pipermail/full-disclosure/2004-December/029900.html
• Multiple Browsers Window Injection Vulnerability http://secunia.com/secunia_research/2004-13/advisory/
  Microsoft Internet Explorer Window Injection Vulnerability http://secunia.com/advisories/13251/
• 7a69Adv#15 - Internet Explorer FTP command injection http://www.securityfocus.com/archive/1/383722
  Rapid7 Advisory R7-0032: Microsoft Internet Explorer FTP Command Injection Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2008-March/060688.html
• IE6 Vulnerability - Local File Detection http://www.securityfocus.com/archive/1/383622
• Microsoft Internet Explorer 6 SP2 Vulnerabilities / Full disclosure Vs. Security by Obscurity... [file download security warning bypass] http://www.securityfocus.com/archive/1/381718
  playing for fun with <=IE7 http://www.securityfocus.com/archive/1/482220 http://lists.grok.org.uk/pipermail/full-disclosure/2007-October/066699.html
• Microsoft Internet Explorer permits to examine the existence of local files http://www.securityfocus.com/archive/1/380541
• How to Break Windows XP SP2 + Internet Explorer 6 SP2 http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/027778.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/027806.html http://archives.neohapsis.com/archives/ntbugtraq/2004-q4/0096.html
  [Unpatched] New 0day exploit for XPSP2 http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/027830.html
• [IE 6 SP2] Possible URL Spoofing http://www.securityfocus.com/archive/1/378569 http://www.securityfocus.com/archive/1/378666
• Yet another IE aperture http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/027213.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/027309.html
• Alpha Phising [IE 6 WinXP SP2] http://www.securityfocus.com/archive/1/373149
• Internet Explorer Local File/Directory Detection http://www.securityfocus.com/archive/1/372736
• Microsoft Windows XP SP2 http://lists.grok.org.uk/pipermail/full-disclosure/2004-August/025513.html
• NullyFake - Site Spoofing in MSIE http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0107.html
• Microsoft Internet Explorer 6 Protocol Handler Vulnerability http://www.securityfocus.com/archive/1/370959 http://www.securityfocus.com/archive/1/371061 http://lists.grok.org.uk/pipermail/full-disclosure/2004-August/024833.html
  Internet Explorer 0day exploit http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064513.html
  Cross Application Scripting (IE pwns Trillian, Trillian pwns YOU!) http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064650.html
  iDefense Security Advisory 07.19.07: Multiple Vendor Multiple Product URI Handler Input Validation Vulnerability http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064759.html
  IE problem really ... http://www.mozillazine.org/talkback.html?article=22198#16
  Microsoft Windows URI Handling Command Execution Vulnerability http://secunia.com/advisories/26201/
  0day: mIRC pwns Windows http://www.securityfocus.com/archive/1/481418
  URI handling woes in Acrobat Reader, Netscape, Miranda, Skype http://lists.grok.org.uk/pipermail/full-disclosure/2007-October/066324.html http://lists.grok.org.uk/pipermail/full-disclosure/2007-October/066532.html http://lists.grok.org.uk/pipermail/full-disclosure/2007-October/066765.html
  Microsoft Security Advisory (943521) URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/943521.mspx
  MSRC Blog: Additional Details and Background on Security Advisory 943521 http://blogs.technet.com/msrc/archive/2007/10/10/msrc-blog-additional-details-and-background-on-security-advisory-943521.aspx
  Third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) available http://lists.grok.org.uk/pipermail/full-disclosure/2007-October/066638.html
  Maybe this is fixed in ms07-061.
• FullDisclosure/IE - Possible Address Spoofing http://www.securityfocus.com/archive/1/369741 http://www.securityfocus.com/archive/1/370120
• MSOE Javascript Execution Vulnerability http://www.securityfocus.com/archive/1/368670
• MSIE Download Window Filename + Filetype Spoofing Vulnerability http://www.securityfocus.com/archive/1/368648 http://www.securityfocus.com/archive/1/368660
• Media Preview Script Execution Vulnerability http://www.securityfocus.com/archive/1/368650
• Microsoft Word Email Object Data Vulnerability http://www.securityfocus.com/archive/1/368492 http://www.securityfocus.com/archive/1/368542
• IE sucks : sun java virtual machine insecure tmp file creation http://lists.grok.org.uk/pipermail/full-disclosure/2004-July/023674.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-July/023681.html
• Race conditions in security dialogs http://lists.grok.org.uk/pipermail/full-disclosure/2004-July/023550.html
  Internet Explorer User Interface Races, Redeux http://lists.grok.org.uk/pipermail/full-disclosure/2006-April/045566.html
• SUPER SPOOF DELUXE http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/023146.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/023148.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/023160.html http://www.securityfocus.com/archive/1/367885
• Internet Explorer Remote Null Pointer Crash(mshtml.dll) http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/022655.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/022679.html
• COELACANTH: Phreak Phishing Expedition http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/022514.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/022521.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/022525.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/022524.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/022528.html
  MAGIC XSS INTO THE DNS: coelacanth http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/022646.html
• POA: Outlook Expresss 6.00 http://www.securityfocus.com/archive/1/363248
• DEEP SEA PHISHING: Internet Explorer / Outlook Express http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/021116.html
  Microsoft Internet Explorer ImageMap URL Spoof Vulnerability http://www.securityfocus.com/archive/1/363568 http://www.securityfocus.com/archive/1/365151
• Remote DoS IE Memory Access Violation http://www.securityfocus.com/archive/1/362524 http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/021272.html
  With  <a href="\\&#254:\silly">click</a>  or  <body onload='window.location="file:\\&#254:\silly"'>  I also can crash IE6SP1 on W2kSP4, but not IE6 on W2kSP3; and cannot reproduce the registry corruption.
• The "long share name buffer overflow" bug (see below, under WinXP/Vista issues) is remotely (web, email) exploitable to run arbitrary code (no public references yet).
• IE Certificate Stealing (Phising) bug http://www.securityfocus.com/archive/1/361860
• Que es mas macho, SCRIPTES o TABLESPOON? http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/020501.html
• IE 6 Print Without Prompt http://www.securityfocus.com/archive/1/360128
• MSWebDVD Class(mswebdvd.dll) Null Pointer Assignment http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/019843.html
• NOT GOOD: Outlook Express 6 + Internet Explorer 6 http://www.securityfocus.com/archive/1/359139 http://archives.neohapsis.com/archives/ntbugtraq/2004-q1/0121.html
  AusCERT Alert AL-2004.10 -- Bogus Banking Email Allows Trojan Infection for Outlook Users http://www.auscert.org.au/3981
• New Internet Explorer Cross Zone/Site Scripting Vulnerability http://www.securityfocus.com/archive/1/356083 http://www.securityfocus.com/archive/1/356175
• iDEFENSE Security Advisory 02.27.04b: Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass http://www.securityfocus.com/archive/1/355512
• Possible new cross zone scripting in IE http://www.securityfocus.com/archive/1/353279 http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017004.html
• Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part IV http://www.securityfocus.com/archive/1/348688 http://www.securityfocus.com/archive/1/348707 http://lists.grok.org.uk/pipermail/full-disclosure/2004-January/015146.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-January/015149.html http://lists.grok.org.uk/pipermail/full-disclosure/2004-January/015159.html
• IE 5.22 on Mac Transmitting HTTP Referer from Secure Page http://www.securityfocus.com/archive/1/348574
• Internet Explorer file downloading security alerts bypass http://www.securityfocus.com/archive/1/348225
• Bunch of problems from Liu Die Yu:
  New "Clean" IE Remote Compromise http://www.securityfocus.com/archive/1/345614
  BackToFramedJpu - a successor of BackToJpu attack http://www.securityfocus.com/archive/1/345617
  IE Remote Compromise by Getting Cache Location http://www.securityfocus.com/archive/1/345619
  Note for "Invalid ContentType may disclose cache directory" http://www.securityfocus.com/archive/1/345624
  Cache Disclosure Leads to MYCOMPUTER Zone and Remote Compromise http://www.securityfocus.com/archive/1/345625
  Invalid ContentType may disclose cache directory http://www.securityfocus.com/archive/1/345627
• Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III http://www.securityfocus.com/archive/1/343521 http://lists.grok.org.uk/pipermail/full-disclosure/2003-November/013383.html http://www.securityfocus.com/archive/1/343853 http://www.securityfocus.com/archive/1/343917
• IE: double slash moves cache from INTERNET zone to MYCOMPUTER zone http://www.securityfocus.com/archive/1/343474 http://www.securityfocus.com/archive/1/344055
• MSIE clientCaps "isComponentInstalled" and "getComponentVersion" registry information leakage http://www.securityfocus.com/archive/1/343473
• Internet Explorer and Opera local zone restriction bypass http://www.securityfocus.com/archive/1/342317 http://www.securityfocus.com/archive/1/342467 http://www.securityfocus.com/archive/1/342471 http://www.securityfocus.com/archive/1/342582 http://www.securityfocus.com/archive/1/342673 http://www.securityfocus.com/archive/1/342973 http://www.securityfocus.com/archive/1/343037
  Redirection and refresh parses local file http://www.securityfocus.com/archive/1/343049
  Internet Explorer Vulnerability: Content-Location works with both triple and double slash http://www.securityfocus.com/archive/1/343119
  MPSB03-08 Update to Flash Player Addressing Local Shared Object Security http://www.adobe.com/devnet/security/security_zone/mpsb03-08.html
• Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability http://www.securityfocus.com/archive/1/340666
  fixed in Windows2003ServerSP1 http://www.securityfocus.com/archive/1/394826
  Aol Instant Messenger/Microsoft Internet Explorer remote code execution http://www.securityfocus.com/archive/1/354448 http://www.securityfocus.com/archive/1/354493
• A bit of cute legalese... and technical response:
  RIP: ActiveX controls in Internet Explorer? http://www.securityfocus.com/archive/1/335564
  IE Changes / Software Patents http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/011595.html
• Notepad popups in Internet Explorer and Outlook http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0090.html http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0094.html http://lists.grok.org.uk/pipermail/full-disclosure/2003-August/007742.html
• Drivial Pursuit: Internet Explorer Browser & Your Files and Folders ! http://www.securityfocus.com/archive/1/330173 http://www.securityfocus.com/archive/1/330327
• IE chromeless window vulnerabilities http://www.securityfocus.com/archive/1/328947 http://www.securityfocus.com/archive/1/328978 http://www.securityfocus.com/archive/1/329014
• Script Injection to Custom HTTP Errors in Local Zone (GM#014-IE) http://www.securityfocus.com/archive/1/325361 http://www.securityfocus.com/archive/1/328110
• Cross-Site Scripting in Unparsable XML Files (GM#013-IE) http://www.securityfocus.com/archive/1/325360
• (Another) Microsoft Internet Explorer FTP Security Hole
  Microsoft Internet Explorer FTP Classic View Cross-Domain Scripting http://lists.grok.org.uk/pipermail/full-disclosure/2003-June/005321.html
• Internet Explorer URL spoofing threat http://www.securityfocus.com/archive/1/323436
  More on IE URL obfuscation http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0285.html
• Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability http://www.securityfocus.com/archive/1/323992
• SILLY BEHAVIOR Part III : Internet Explorer 5.5 - 6.0 http://www.securityfocus.com/archive/1/320437
• .MHT Buffer Overflow in Internet Explorer http://www.securityfocus.com/archive/1/314644 http://www.securityfocus.com/archive/1/314817
• Outlook Express triple-extension (buffer overflow) bug http://www.theregister.co.uk/content/56/29137.html http://www.messagelabs.com/viruseye/report.asp?id=130 http://vil.nai.com/vil/content/v_100011.htm
  Maybe a simple re-hash of: Re: HTML.dropper http://www.securityfocus.com/archive/1/157279
• Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part II http://www.securityfocus.com/archive/1/313174
• internet explorer local file reading http://www.securityfocus.com/archive/1/309997 http://www.securityfocus.com/archive/1/309987
• ms02-065 contains the caveat ... a patched system could be made vulnerable again [by] visit a web site or open an HTML mail .... We have a buffer overrun (execute-any-code) vulnerability, to be exploited by a (malicious) Web page or email; there is a patch that can be undone by a (malicious) Web page or email. Just as exploitable after the patch.
  It also contains the workaround: make sure you have no trusted publishers, including Microsoft. You should not blindly accept and run MS code: you may want to apply that to the whole of IE and Windows.
• LEVERAGING CROSS-PROTOCOL SCRIPTING IN MSIE http://www.securityfocus.com/archive/1/291527 http://www.securityfocus.com/archive/1/291525
• IE6 SP1 Notes http://www.securityfocus.com/archive/1/291170
• Bypassing cookie restrictions in IE 5+6 http://www.securityfocus.com/archive/1/286162 http://www.securityfocus.com/archive/1/286288 http://www.securityfocus.com/archive/1/286289
• [Because IE trusts local files, xxx] allows execution of arbitrary code http://www.securityfocus.com/archive/1/262704 http://www.securityfocus.com/archive/1/282631 http://www.securityfocus.com/archive/1/282993 http://www.securityfocus.com/archive/1/283018 http://www.securityfocus.com/archive/1/287896 http://www.securityfocus.com/archive/1/320714
  Re: is predicatable file location a vuln? (was RE: Aol Instant Messenger/Microsoft Internet Explorer remote code execution) http://www.securityfocus.com/archive/1/354622
• IE dot bug - Sandblad advisory #7 http://www.securityfocus.com/archive/1/273168
  Apparently fixed in ms02-047, but problem is a general issue in Windows, not just IE. Try in a dos prompt window:
  echo xyz > test.txt
  type "test.txt . .."
  del "test.txt."
• RFC: suggestions for SSL security enhancements in Microsoft Internet Explorer http://www.securityfocus.com/archive/1/265668
  regarding SSL issues http://www.securityfocus.com/archive/1/266546
• Outlook Express Attach Execution Exploit (img tag + innerHTML + TIF dos name) http://www.securityfocus.com/archive/1/265447
• Automatically opening IE + Executing attachments http://www.securityfocus.com/archive/1/263607 http://www.securityfocus.com/archive/1/263658
• [GSA2002-01] Web browsers ignore the Content-Type header, thus allowing cross-site scripting http://www.securityfocus.com/archive/1/256013
  TEXT/PLAIN: ALERT("OUTLOOK EXPRESS") http://www.securityfocus.com/archive/1/330499 http://www.securityfocus.com/archive/1/331072
• HELP ! : Trojanised HTML: Internet Exporer 5 and 6 [technical exercise] http://www.securityfocus.com/archive/1/254956 http://www.securityfocus.com/archive/1/255276
• Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) http://www.securityfocus.com/archive/1/254695
• File Extensions Spoofable in Windows Explorer http://www.securityfocus.com/archive/1/250362
• Internet Explorer Vulnerability to Web Mail-based Spoofing Attacks http://www.securityfocus.com/archive/1/161387
• Fwd: Re: Double clicking on MS Office documents from Windows Explorer mayexecute arbitrary programs in some cases http://www.securityfocus.com/archive/1/83866 http://www.securityfocus.com/archive/1/276755
• IE5.5 window.externalNavigateAndFind security vulnerability.... http://www.securityfocus.com/archive/1/136474
• http://msdn.microsoft.com/workshop/security/szone/urlzones.asp
• http://msdn.microsoft.com/workshop/networking/pluggable/overview/overview.asp
  and how to block them http://www.securityfocus.com/archive/1/371529
• http://msdn.microsoft.com/workshop/networking/moniker/monikers.asp
  http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp
  http://msdn.microsoft.com//workshop/networking/moniker/overview/mime_handling.asp
• http://www.cert.org/body/advisories/CA200016_FA200016.html
• http://www.peacefire.org/security/iecookies/
• http://www.cert.org/reports/activeX_report.pdf

Paul Szabo psz@maths.usyd.edu.au 28 Jan 20