Posted on 11/23/2009 2:31:32 PM PST by Gomez
A bug in Microsoft's Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said.
The documents stored in Adobe's PDF format display the internal disk location where the file is stored, an oversight that can inadvertently expose real-world names and login IDs of users, the operating system being used and other information that is better kept private. The data can then be retrieved using simple web searches.
Google searches such as this one expose almost 4 million documents residing on users' C drives alone. Combined with searches for other common drives, the technique exposes more than 50 million files that display the local disk path, according to Inferno, a security researcher for a large software company who asked that his real name not be used.
"If they have those kind of PDFs, somebody can use search engines to find out user names or do more reconnaissance on the operating systems used," he told The Register. "That actually invades the privacy of a user."
The potentially sensitive data is included in PDFs that have been printed using Internet Explorer. The full path location is appended to its contents as soon as the Microsoft browser is used to print the document. Although the data isn't always exposed when the document is viewed with Adobe Reader, it is easily readable when the file is opened in editors such as Notepad, and the text is also available to Google and other search engines.
This PDF, for example, was stored at C:\Program Files\Wids7\WizardReport.htm at time of printing. The path makes it clear that the file was stored on a Windows machine that has software from Worldwide Instructional Design System installed. Other PDFs give up directory names that reveal authors, projects or other data that may have been designated confidential.
The only way to remove the path is erase the text in an editor and save the document.
All versions of IE suffer from the bug. A Microsoft spokeswoman said company engineers are working to reproduce the reported behavior. "We can confirm that this is not a vulnerability," she wrote in an email. Adobe representatives didn't reply to requests for comment. Inferno's report is here.
ping
The only way to remove the path is erase the text in an editor and save the document.
What would you want IE default behavior to be?
Sounds like a default behavior with a trivial workaround.
At most I would add a registry setting to rmove the path
leading to the filename. This is not an OS bug.
LOL, it's not a bug, it's a feature. Yeah, that's the ticket!
It appears that no actual files are being exposed, just the path names.
While I understand that this is less than optimal, unless you've got stuff like this on your system:
C:\Documents and Settings\obinladen\Desktop\Jihad\Bombs\ANFO\Project Bomb the Synagogue on 3rd and Maple on December 18th\Project Plan.doc
...then there really isn't a lot to worry about.
Most things people would have would look like:
C:\Documents and Settings\joeuser\Desktop\Lists\Christmas List.doc
Moral: If you have sensitive data on your machine, don't name the folders with the sensitive data. Leave the data in a file.
Now granted, this shouldn't be information that leaks out and Microsoft needs to fix it, but I'm pretty sure that this really isn't a major breach unless you're pretty dumb in how you set up your directory structure.
Regarding the http://wids.matcmadison.edu/10150170.pdf
LOL - That’s quite standard behavior for printing out web-documents, so I’m guessing that it was output viewed on a browser and then “printed” on a virtual PDF-producing printer.
I don’t quite understand why this is a web browser bug.
It sounds like it’s a bug in whatever software created the PDF. That could be the fault of MS, if they wrote that code, or it could be Adobe, or some other software developer. It could be a “feature”. Was the file path part of the visible content of the PDF? They seemed to indicate it was part of the PDF markup that is not usually visible with typical PDF viewers, but I wonder.
Usually IE and other web browsers do not create PDF files. You’d usually have to print to a PDF from the browser, but that wouldn’t make the PDF visible on a public web server for searching.
Whoever wrote this article seems technically illiterate. The article seems poorly edited. Both are probably true.
Looks like it was stored in the “hidden” part of the file. That means it’s more like Google is the responsible party here, along with whatever software created the PDF.
Again, badly written article. in my opinion, NOT an IE “bug”.
Absolutely agree about the poor writing/editing. And agreed that it is not clear what program created the documents (the article claims they were created by IE, but I’m sceptical).
Steel, the *real* source for the Hadley CRU email dump...? /sarc>
Cheers!
Cheers!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.