Reported November 17, 2004, by cyber flash

VERSIONS AFFECTED

  • Microsoft Internet Explorer (IE) 6.0

DESCRIPTION
Two vulnerabilities have been discovered in IE that can be used to bypass a security feature in Windows XP Service Pack 2 (SP2) and trick users into downloading malicious files. These two vulnerabilities are:

  • Windows XP SP2 has a security feature that warns users when they open downloaded files of certain types. The problem is that, in some situations, users won't receive the security warning if the downloaded file was sent with a specially crafted Content-Location HTTP header.
  • An error when saving some documents using the Javascript execCommand() function can be exploited to spoof the file extension in the Save HTML Document dialog box.

Successful exploitation requires that the option "Hide extension for known file types" is enabled (default setting). A malicious Web site can combine these two vulnerabilites to trick a user into downloading a malicious executable file masquerading as a HTML document.
 

VENDOR RESPONSE
Microsoft has not released a fix or bulletin that addresses this vulnerability.

CREDIT
Discovered by cyber flash.