|
[Japanese]
|
JVNDB-2016-000028
|
Internet Explorer cross-domain policy bypass
|
|
Internet Explorer contains a flaw that may allow an attacker to bypass cross-domain policies.
Yosuke HASEGAWA of Secure Sky Technology Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: None
- Availability Impact: None
|
|
The following products without Cumulative Security Update (3134220) are affected.
|
Microsoft Corporation
- Microsoft Internet Explorer 9
- Microsoft Internet Explorer 10
- Microsoft Internet Explorer 11
|
|
|
When a specially crafted content is opened, cross-domain policies may be bypassed and then information of the URL that the user is accessing may be obtained by an attacker.
|
|
[Update the Software]
This issue was addressed in MS16-009 released on February 10, 2016. Apply the update according to the information provided by Microsoft.
|
|
Microsoft Corporation
|
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2016-0069
|
|
- JVN : JVN#78383854
- National Vulnerability Database (NVD) : CVE-2016-0069
- IPA SECURITY ALERTS : Security Alert for Vulnerability in Microsoft Security Bulletin (in Japanese)
- JPCERT REPORT : JPCERT-AT-2016-0007
- @Police : For Microsoft Security Bulletin (MS16-009,011,012,013,014,015,016,017,018,019,020,021,022)(2016/02/10) (in Japanese)
|
|
- [2016/02/19]
Web page was published
[2016/02/23]
References : Contents were added
|
