Microsoft IE OWC ConnectionFile File Existence Verification
Remote / Network Access
Loss of Confidentiality
Patch / RCS
Microsoft Office Web Components contains a flaw that allows a remote attacker to verify the existence of a file. The issue is due to the DataSourceControl component in OWC and the "ConnectionFile" property, which doesn't perform any security checks on the assigned URL. This makes it possible to assign a local file and verify its existance via the error message returned.
Microsoft has released a patch to address this vulnerability. Additionally, it is possible to temporarily work around the flaw by implementing the following workaround: Disable Active X controls through the browser security settings.