[Dshield] 'Internet Explorer File Download Extension Spoofing' vulnerability
peter.stendahl-juvonen at welho.com
Thu Jan 29 13:23:19 GMT 2004
Internet Explorer File Download Extension Spoofing
The solution should be self-evident, but as the vulnerability applies also to,
e.g. '*.pdf' type of files, which some of us may regard as harmless or
non-dangerous, copied also the "Solution" part (below)-
"A danger foreseen is half avoided."
Thomas Fuller (1608-1661); English scholar, preacher.
PS. Internet Explorer File Download Extension Spoofing
http-equiv has identified a vulnerability in Internet Explorer, allowing
malicious web sites to spoof the file extension of downloadable files.
The problem is that Internet Explorer can be tricked into opening a file, with
a different application than indicated by the file extension. This can be done
by embedding a CLSID in the file name. This could be exploited to trick users
into opening "trusted" file types which are in fact malicious files.
Secunia has created an online test:
This has been reported to affect Microsoft Internet Explorer 6.
NOTE: Prior versions may also be affected.
Do not use "Open" file, always save files to a folder as this reveals the
Copyright C 2002 Secunia
(Does 'Copyright C 2002' apply to this vulnerability report, the Release Date
of which is 2004-01-28, as well?) ;-)
More information about the list