An attacker can automatically store and execute a malicious program on a user's PC by exploiting a flaw in Microsoft Corp.'s Internet Explorer (IE) Web browser, the software maker has warned in a security bulletin.
IE 6.0 is flawed in the way it handles the Content-Disposition and Content-Type HTML (HyperText Markup Language) header fields on a Web page, Microsoft said. These fields, together with the hosting URL (Uniform Resource Locator) and the hosted file details, determine how IE handles a file after download, the company said.
An attacker can misrepresent the file type by altering the headers on a Web page or in an HTML e-mail message. IE then automatically downloads and executes the program when a user visits the Web site or views the e-mail message either in the preview pane or by opening it in an e-mail client that uses IE, such as Outlook Express, Microsoft said.
IE is supposed to show a security warning and ask the user what to do when a Web site offers an executable file for download.
The flaw also exists in IE versions 5.5 and 5.0, according to Oy Online Solutions Ltd., a Finnish security company credited by Microsoft for discovering the flaw. IE 5.5 with service pack 2 (SP2) installed isn't affected, Microsoft and Oy Online Solutions said. Microsoft only offers "hotfix support" for IE 6.0 and 5.5 with SP2, the latest IE versions.
An attacker could hijack a user's system and do anything a user could. The machine might be used in distributed denial of service (DDoS) attack or to spread viruses, Oy Online Solutions said.
Microsoft included a patch for the flaw in a cumulative software patch for IE versions 6.0 and 5.5 with SP2. The cumulative patch fixes all known bugs as well as three new ones, including the automatic file download and execute vulnerability.
Another new fix is one for a bug Oy Online Solutions made public in November. The file name in the IE download dialog box can be faked, potentially tricking a user into downloading and installing a malicious program on his PC by disguising it as an innocent file. This affects both IE5.5 SP2 and IE6.0, Microsoft said.
"This flaw led an expert at the Finnish company to discover the more serious automatic file download and execute flaw," said Oy Online Solutions Managing Director Jyrki Salmi.
There have been no reports of the most serious flaw being exploited, according to Salmi. However, he added, it isn't hard to find and exploit the hole.
"Somebody who is familiar with IE could be able to find the flaw based on information Microsoft provided and then it is fairly easy to exploit the flaw," he said. "This should be made very public and users should upgrade IE."
A third newly discovered flaw for which a patch is now available is a frame domain verification flaw. This flaw allows a malicious Web site operator to read any file on the user's PC that can be opened in a Web browser and affects both IE 5.5SP2 and IE 6.0, Microsoft saidThe file download and execution vulnerability is critical, according to Microsoft. The two other flaws are described as "moderate."