Microsoft details IE vulnerability

An attacker can automatically store and execute a malicious program on a user's PC by exploiting a flaw in Microsoft Corp.'s Internet Explorer (IE) Web browser, the software maker has warned in a security bulletin.

IE 6.0 is flawed in the way it handles the Content-Disposition and Content-Type HTML (HyperText Markup Language) header fields on a Web page, Microsoft said. These fields, together with the hosting URL (Uniform Resource Locator) and the hosted file details, determine how IE handles a file after download, the company said.

An attacker can misrepresent the file type by altering the headers on a Web page or in an HTML e-mail message. IE then automatically downloads and executes the program when a user visits the Web site or views the e-mail message either in the preview pane or by opening it in an e-mail client that uses IE, such as Outlook Express, Microsoft said.

IE is supposed to show a security warning and ask the user what to do when a Web site offers an executable file for download.

The flaw also exists in IE versions 5.5 and 5.0, according to Oy Online Solutions Ltd., a Finnish security company credited by Microsoft for discovering the flaw. IE 5.5 with service pack 2 (SP2) installed isn't affected, Microsoft and Oy Online Solutions said. Microsoft only offers "hotfix support" for IE 6.0 and 5.5 with SP2, the latest IE versions.

An attacker could hijack a user's system and do anything a user could. The machine might be used in distributed denial of service (DDoS) attack or to spread viruses, Oy Online Solutions said.

Microsoft included a patch for the flaw in a cumulative software patch for IE versions 6.0 and 5.5 with SP2. The cumulative patch fixes all known bugs as well as three new ones, including the automatic file download and execute vulnerability.

Another new fix is one for a bug Oy Online Solutions made public in November. The file name in the IE download dialog box can be faked, potentially tricking a user into downloading and installing a malicious program on his PC by disguising it as an innocent file. This affects both IE5.5 SP2 and IE6.0, Microsoft said.

"This flaw led an expert at the Finnish company to discover the more serious automatic file download and execute flaw," said Oy Online Solutions Managing Director Jyrki Salmi.

There have been no reports of the most serious flaw being exploited, according to Salmi. However, he added, it isn't hard to find and exploit the hole.

"Somebody who is familiar with IE could be able to find the flaw based on information Microsoft provided and then it is fairly easy to exploit the flaw," he said. "This should be made very public and users should upgrade IE."

A third newly discovered flaw for which a patch is now available is a frame domain verification flaw. This flaw allows a malicious Web site operator to read any file on the user's PC that can be opened in a Web browser and affects both IE 5.5SP2 and IE 6.0, Microsoft saidThe file download and execution vulnerability is critical, according to Microsoft. The two other flaws are described as "moderate."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joris Evers

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?