IE7 Local Software Enumeration
by Billy (BK) Rios – Billy dot Rios -at- gmail
Using the Resource URI, it is possible to set the img.src attribute to a resource within an executable or dll on the users local file system. Many executables (and some dlls) have bitmaps (and other images) embedded into the executable. These images can be loaded into an image object by setting the "src" property equal to the resource inside of an executable or dll on the user’s local file system. Loading of resources on the local file system is possible, even if the user is running IE with the highest security settings and has scripting disabled. The following HTML code demonstrates a simple way to enumerate software on a users local file system.
An attacker could initiate enumeration through XSS or by URL redirection. Attackers could scan a users file system for software with known vulnerabilities or an unscrupulous vendor could scan a users machine to determine whether the user has a competitors software, software related to a health condition, or other sensitive software installed creating a privacy risk for some users....
HERE's the demonstration