Internet Explorer Iframe Folder Deletion Weakness

cyber flash has discovered a weakness in Internet Explorer, which can be exploited by malicious people to trick users into deleting local folders.

The problem is that network shares can be included in an iframe where only certain parts of the content is visible to the user. This can e.g. be exploited to trick users into deleting local folders via an iframe referencing “\$”.

Successful exploitation requires that the user selects a folder icon, presses the delete key, and accepts a “Folder Delete” dialog.

The weakness has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.

Solution:  Do not accept suspicious “Folder Delete” dialogs when visiting untrusted web sites.

Leave a Reply