Microsoft details IE vulnerability

An attacker can automatically store and execute a malicious program on a user's PC by exploiting a flaw in Microsoft Corp.'s Internet Explorer (IE) Web browser, the software maker has warned in a security bulletin.

IE 6.0 is flawed in the way it handles the Content-Disposition and Content-Type HTML (HyperText Markup Language) header fields on a Web page, Microsoft said. These fields, together with the hosting URL (Uniform Resource Locator) and the hosted file details, determine how IE handles a file after download, the company said.

An attacker can misrepresent the file type by altering the headers on a Web page or in an HTML e-mail message. IE then automatically downloads and executes the program when a user visits the Web site or views the e-mail message either in the preview pane or by opening it in an e-mail client that uses IE, such as Outlook Express, Microsoft said.

IE is supposed to show a security warning and ask the user what to do when a Web site offers an executable file for download.

The flaw also exists in IE versions 5.5 and 5.0, according to Oy Online Solutions Ltd., a Finnish security company credited by Microsoft for discovering the flaw. IE 5.5 with service pack 2 (SP2) installed isn't affected, Microsoft and Oy Online Solutions said. Microsoft only offers "hotfix support" for IE 6.0 and 5.5 with SP2, the latest IE versions.

An attacker could hijack a user's system and do anything a user could. The machine might be used in distributed denial of service (DDoS) attack or to spread viruses, Oy Online Solutions said.

Microsoft included a patch for the flaw in a cumulative software patch for IE versions 6.0 and 5.5 with SP2. The cumulative patch fixes all known bugs as well as three new ones, including the automatic file download and execute vulnerability.

Another new fix is one for a bug Oy Online Solutions made public in November. The file name in the IE download dialog box can be faked, potentially tricking a user into downloading and installing a malicious program on his PC by disguising it as an innocent file. This affects both IE5.5 SP2 and IE6.0, Microsoft said.

"This flaw led an expert at the Finnish company to discover the more serious automatic file download and execute flaw," said Oy Online Solutions Managing Director Jyrki Salmi.

There have been no reports of the most serious flaw being exploited, according to Salmi. However, he added, it isn't hard to find and exploit the hole.

"Somebody who is familiar with IE could be able to find the flaw based on information Microsoft provided and then it is fairly easy to exploit the flaw," he said. "This should be made very public and users should upgrade IE."

A third newly discovered flaw for which a patch is now available is a frame domain verification flaw. This flaw allows a malicious Web site operator to read any file on the user's PC that can be opened in a Web browser and affects both IE 5.5SP2 and IE 6.0, Microsoft saidThe file download and execution vulnerability is critical, according to Microsoft. The two other flaws are described as "moderate."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joris Evers

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?