Microsoft investigating threat, considering patch, or offering guidance for protection.
A researcher at Black Hat DC next week will demonstrate how an attacker can steal files from a victim's machine by abusing a combination of actual features in Internet Explorer.
Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies, says popular features in IE, such as URL Security Zones and the browser's file-sharing protocol, can together be abused to execute an attack that results in the attacker being able to read all files on the victim's machine. Medina plans to release proof-of-concept code for the attack next month after Black Hat DC
, and after Microsoft issues a security update for the attack, which affects IE versions 6 and above, he says.