Multiple vulnerabilities have been identified in Internet Explorer allowing malicious HTML documents such as web sites to access resources in the Local Zone.

1) Double slash zone transfer
The use of a double slash ":\\" in a CODEBASE resource location can be used to bypass the security check in Internet Explorer. This can potentially be exploited to cause Internet Explorer to access local resources.

2) Userprofile disclosure
It is possible to access files in the current user profile without knowing the username by substituting it with "file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103}". It is also possible to see the current user profile with the following javascript "alert(window.open("file:///::{450D8FBA-AD25-11D0-98A8-0800361B1103}/res::"))". This can only be exploited if Internet Explorer is operating in Local Zone.

3) Redirection and Refresh in IFRAME parses local file
It is possible to make Internet Explorer parse a local file by creating an IFRAME, which has a SRC poiting to a remote source that redirects to a local resource. Parsing of the local file requires the IFRAME to be refreshed, which can be done automatically using scripting.

A proof of concept exploit has been published. This exploit combines the above vulnerabilities with some older vulnerabilities and a bug in Flash player to install and execute arbitrary code.

The vulnerabilities have been reported to affect Internet Explorer 5, 5.5, and 6 with all current patches.

Solution
The vulnerabilities have been fixed silently in some cumulative security update.

Provided and/or discovered by
1 & 2) Liu Die Yu
3) Mindwarper

Changelog
Further details available to Secunia VIM customers

Original Advisory
Double slash zone transfer:
http://www.safecenter.net/UMBRELLAWEBV4/DblSlashForCache/DblSlashForCache-Content.htm

Redirection and Refresh in Iframe parses local file:
http://www.safecenter.net/UMBRELLAWEBV4/IredirNrefresh/IredirNrefresh-Content.htm

Deep Links
Links available to Secunia VIM customers