This new security issue came to light just days after Microsoft delivered an emergency patch to correct several other IE vulnerabilities, including at least one that was used in the recent attacks against more than 30 brand companies.
Jorge Luis Alvarez Medina, a security consultant at Core Security Technologies, is scheduled to give a presentation on Feb. 3 at the Black Hat conference in Washington, D.C., demonstrating how an attacker could leverage four to five flaws in design features of Internet Explorer to read every file on a user's computer. Following the presentation, Medina plans to release proof of concept demonstrating the attack, as well as further details on the flaws.“Its not a presentation about how to exploit a bug in the browser, but how to take advantage of different, legitimate features of IE to deploy an attack vector,” Medina said. “Those features that are part of this attack are not vulnerabilities in and of themselves, but features that involve minor risk.”
“All an attacker needs is for a victim to click on a link and that's it,” Medina said. “An attacker would be able to read every file from a victim's machine.”Core Security researchers have been working with Microsoft to fix the issues for some time, Medina said.
Meanwhile, Microsoft recommends users upgrade to IE 8, sign up for Microsoft Update and enable the automatic update functionality to ensure their browser is up to date with the most secure version.