2.1 - VU#468843

Executive Summary

Summary
Title	Microsoft Internet Explorer 7 DisableCachingOfSSLPages may not prevent caching

Informations
Name	VU#468843	First vendor Publication	2008-05-09
Vendor	VU-CERT	Last vendor Modification	2008-05-09
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score	2.1	Attack Range	Local
Cvss Impact Score	2.9	Attack Complexity	Low
Cvss Expoit Score	3.9	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#468843

Microsoft Internet Explorer 7 DisableCachingOfSSLPages may not prevent caching

Overview

Setting the Internet Explorer 7 option DisableCachingOfSSLPages may not prevent the caching of SSL-enabled web pages.

I. Description

Administrators and users can set the Internet Explorer DisableCachingOfSSLPages option to prevent sensitive or private data from being saved to disk. The registry key for this setting is:

HKCUSoftwareMicrosoftWindowsCurrentVersionInternetSettingsDisableCachingOfSSLPages

After enabling this setting, Internet Explorer 7 may still cache SSL-enabled web pages to disk.

II. Impact

Private or sensitive data may be written to disk inadvertently.

III. Solution

We are currently unaware of a practical solution to this problem.

Secure deletion

Securely deleting or encrypting the Internet Explorer 7 browser cache (%userprofile%AppDataLocalMicrosoftWindowsTemporary Internet FilesLow) that contains the sensitive information will mitigate this vulnerability.

Systems Affected

Vendor	Status	Date Updated
Microsoft Corporation	Vulnerable	22-Apr-2008

References

http://technet2.microsoft.com/windowsserver/en/library/c07587ec-4a60-4bca-8508-29a4296b72121033.mspx?mfr=true
http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx
http://technet2.microsoft.com/WindowsVista/en/library/58358421-a7f5-4c97-ab41-2bcc61a58a701033.mspx?mfr=true
http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx
http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

Credit

Thanks to Bill KNox from MITRE for reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information

Date Public	05/09/2008
Date First Published	05/09/2008 07:59:14 AM
Date Last Updated	05/09/2008
CERT Advisory
CVE Name
US-CERT Technical Alerts
Metric	2.40
Document Revision	18

Original Source

Url : http://www.kb.cert.org/vuls/id/468843

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-200	Information Exposure

CPE : Common Platform Enumeration

Type	Description	Count
Application	Microsoft Internet Explorer cpe:2.3:a:microsoft:internet_explorer:7:::::::*	1

Open Source Vulnerability Database (OSVDB)

Id	Description
44973	Microsoft IE DisableCachingOfSSLPages SSL Page Caching Persistence

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	1
osvdb(s)	1

	Related
2.1	CVE-2008-2159
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)