Information disclosure vulnerabilities are known to cause data confidentiality to be lost.
One such vulnerability is CVE-2017-8529, found in Microsoft Internet Explorer can expose sensitive browser data.
Sectors such as finance, legal, and healthcare can be exposed to data leaks through browsers. This vulnerability needs an immediate fix.
If not, they can reset security posture in the attackers’ favour, as it can silently expose sensitive data, compromise business continuity, and undermine strategic security control.
Here are a few more.
- Like a ransomware or DDoS attack, you don’t find any immediate disruptions such as unusual network activity, slow network performance, unauthorized access, or unusual activities, etc. They are very silent and can expose sensitive data, configurations, slowly giving the attacker what your systems contain.
- It helps an attacker get more ideas on how to move laterally, escalate privileges, and exfiltrate data faster.
- It can reveal data that would have taken years to develop and is critical for national defense or innovation.
- Customers want their data to be protected always. A leak can damage their confidence and brand reputation and result in compliance violations.
- These types of vulnerabilities are commonly used in the reconnaissance stage by attackers. Since they can be exploited quietly, they are an ideal route to launch multi-stage attacks.
- Some of the compliance risks:
- Unintentional browser data exposure can lead to GDPR violations
- In healthcare, patient data accessed through browsers can get leaked, leading to HIPAA violations
- Retailers using browser dashboards for card processing can risk PCI-DSS violations
Business risk use case for CVE-2017-8529
Let us consider this example: If a finance/legal/healthcare firm is using web-based tools to manage client data.
Many routinely access confidential client records, court filings, and case management systems through a browser-based portal.
They mostly rely on Microsoft Internet Explorer.
Even though they apply the patch for CVE-2017-8529, the IT team might overlook the required registry configuration that is needed to fully fix this vulnerability.
This makes Internet Explorer vulnerable to an information disclosure attack.
How is CVE-2017-8529 exploited?
Here is an example. Attackers send a phishing email. The email lures the recipient to click a link that loads a malicious page.
That’s all that is needed. The recipient does not need to click or download, which makes the vulnerability very dangerous.
Now, IE tries to fetch the resource from the attacker’s server, making Windows include NTLM credentials (the user’s domain name, username, and a hash of their password) in the authentication request.
This leads to the leak of these credentials, allowing attackers to capture them. They will also be able to access user browser sessions, such as URLs visited, print spooler status, cached form data, or session identifiers.
Moreover, if the recipient is working using web-based tools for document management and accessing sensitive databases, it can result in gaining access to internal portals.
Technical details of CVE-2017-8529
| CVSS Score | 6.5 |
| Severity | Medium |
| Affected Software | Internet Explorer in Win 7 SP1, Server 2008 R2 SP1, 8.1 and RT 8.1, Server 2012 and R2 |
| Impact | Leaks browser information, such as visited URLs |
| Exploit Vector | Attacker-controlled malicious web content |
| Patch Status | OS patch released, but registry configuration required to complete remediation |
