Billy Rios has a nice writeup on how you can enumerate files using the Internet Explorer res:// protocol. To see the demo, click here using Internet Explorer. I’ve been toying with this for a while, and used it to detect if you were using IE7.0 by looking at the included images that the anti-phishing image uses. But this is a new take on the same old idea.
This could be used to fingerprint a drive, enumerate users on a Windows platform, or detect which exploits to perform against a target. I’ve said a few times that the res:// protocol should be depreciated in the web context (cannot be called from the web) and I think there may be some movement in that direction in the future, but it probably won’t happen for a while. I’d love to see a hotfix to get rid of this one though, it just doesn’t need to be called from the web. In fact the only thing place I have seen res:// called from the web is in virus kits that attempt to fool people into thinking the page doesn’t exist by copying the IE file not found page, which includes links to res:// images. Time to kill that feature.