Internet Explorer vulnerable to information disclosure


Internet Explorer contains an issue in handling XML files, which may result in information disclosure.

Isayama Takayoshi of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

Microsoft Corporation
  • Microsoft Internet Explorer 6
  • Microsoft Internet Explorer 7
  • Microsoft Internet Explorer 8
  • Microsoft Internet Explorer 9


If a user opens a specially crafted XML file as a local file, other local files may be disclosed.

[Upgrade the software]
Users of Windows 7 and later, Windows Server 2008 R2 and later, are recommended to upgrade to Internet Explorer 10.

[Apply a workaround]
The following workaround may mitigate the affects of this vulnerability.

* Do not save untrusted files onto local disks.

The developer states that there are no plans for this issue to be addressed in Internet Explorer 9 and earlier.
Vendor Information

Microsoft Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)


  1. JVN : JVN#63901692
Revision History

  • [2013/06/07]
      Web page was published