[CVE-2016-3267] Microsoft Browser Information Disclosure Vulnerability
Reported on : 21 Mar 2016 Shipped on : 17 Nov 2016 Type : Information Disclosure In Function : readyState detection Local file detection problem in IE11/Edge using iframe and readyState. IE disabled loading a res protocol URI in image element, which will fails the check v31 = CMarkup::CheckForLMZLLoad (v8, 1) in CImgHelper::SetImgCtx, but an attacker can use an iframe instead to load an res URI under web zone. By using the readyState attribute, attacker can tell the existence of a local file. For example "interactive,interactive," means this file exists and is loaded in iframe, "loading, interactive" means file is not exist. IE version less than IE11 is not affected. Since they will have "interactive,complete" readyState no matter local file exists or not, so attacker can't tell the existence of local file.