Microsoft Internet Explorer FTP Command Injection Vulnerability

Rapid7 Advisory R7-0032
Microsoft Internet Explorer FTP Command Injection Vulnerability

Discovered: June 16th, 2007
Published: March 10, 2008
Revision: 1.0
http://www.rapid7.com/advisories/R7-0032

1. Affected system(s):

KNOWN VULNERABLE:
o Internet Explorer 6 (all versions)
o Internet Explorer 5 (all versions)

NOT VULNERABLE:
o Internet Explorer 7

2. Summary

Internet Explorer 5 and 6 are vulnerable to a File Transfer Protocol (FTP) CSRF-like command injection attack, whereby an attacker could execute arbitrary commands on an unsuspecting user's authenticated or unauthenticated FTP session. An attacker could delete, rename, move, and possibly steal data and upload malicious files to an FTP server under the attacker's control, on behalf of the user.

3. Vendor status and information

Microsoft Corporation
http://www.microsoft.com/

Microsoft was notified of this vulnerability on January 22, 2008. They acknowledged the vulnerability on February 7, 2008 and were given 30 daysto provide fix information.

4. Solution

The vendor plans to release a patch for this issue in an upcoming security bulletin. If possible, upgrade to Internet Explorer 7.