A defect in the way Microsoft’s Internet Explorer (IE) browser processes FTP commands may possibly let attackers lift or remove data from a victim’s FTP site.
The bug, which concerns users of IE6 and the unsupported IE5 browser, provides an attacker a method of hijacking the victim’s FTP sessions. But a successful attack would be very hard to complete and would only work in very accurate and targeted attacks, security experts said.
The attacker would need to identify the victim’s user name on the FTP server and the victim would have to already be logged into the server, using IE. Under those circumstances, the victim could be sent a malevolent FTP link that would then perform commands on the victim’s FTP server.
This link might be sent to the browser via an undetectable iFrame component, concealed on a malicious website, so the victim might not even know the attack was taking place.
Rapid7 notified Microsoft of the subject in January. A month later, after the software giant had not patched the issue, it determined to publish proof-of-concept code to demonstrate the flaw.
The flaw is nearly exactly the same as another IE FTP flaw that Microsoft patched in August 2006. Microsoft fixed that bug with its MS06-042 patch, issued in August 2006.
The FTP predicament does not concern IE7, Microsoft has countered. It said it has not heard of any attacks that leverage this susceptibility and has determined that any successful attack would only lead to the unauthorised disclosure of data.