Microsoft details IE vulnerability

An attacker can automatically store and execute a malicious program on a user's PC by exploiting a flaw in Microsoft Corp.'s Internet Explorer (IE) Web browser, the software maker has warned in a security bulletin.

IE 6.0 is flawed in the way it handles the Content-Disposition and Content-Type HTML (HyperText Markup Language) header fields on a Web page, Microsoft said. These fields, together with the hosting URL (Uniform Resource Locator) and the hosted file details, determine how IE handles a file after download, the company said.

An attacker can misrepresent the file type by altering the headers on a Web page or in an HTML e-mail message. IE then automatically downloads and executes the program when a user visits the Web site or views the e-mail message either in the preview pane or by opening it in an e-mail client that uses IE, such as Outlook Express, Microsoft said.

IE is supposed to show a security warning and ask the user what to do when a Web site offers an executable file for download.

The flaw also exists in IE versions 5.5 and 5.0, according to Oy Online Solutions Ltd., a Finnish security company credited by Microsoft for discovering the flaw. IE 5.5 with service pack 2 (SP2) installed isn't affected, Microsoft and Oy Online Solutions said. Microsoft only offers "hotfix support" for IE 6.0 and 5.5 with SP2, the latest IE versions.

An attacker could hijack a user's system and do anything a user could. The machine might be used in distributed denial of service (DDoS) attack or to spread viruses, Oy Online Solutions said.

Microsoft included a patch for the flaw in a cumulative software patch for IE versions 6.0 and 5.5 with SP2. The cumulative patch fixes all known bugs as well as three new ones, including the automatic file download and execute vulnerability.

Another new fix is one for a bug Oy Online Solutions made public in November. The file name in the IE download dialog box can be faked, potentially tricking a user into downloading and installing a malicious program on his PC by disguising it as an innocent file. This affects both IE5.5 SP2 and IE6.0, Microsoft said.

"This flaw led an expert at the Finnish company to discover the more serious automatic file download and execute flaw," said Oy Online Solutions Managing Director Jyrki Salmi.

There have been no reports of the most serious flaw being exploited, according to Salmi. However, he added, it isn't hard to find and exploit the hole.

"Somebody who is familiar with IE could be able to find the flaw based on information Microsoft provided and then it is fairly easy to exploit the flaw," he said. "This should be made very public and users should upgrade IE."

A third newly discovered flaw for which a patch is now available is a frame domain verification flaw. This flaw allows a malicious Web site operator to read any file on the user's PC that can be opened in a Web browser and affects both IE 5.5SP2 and IE 6.0, Microsoft saidThe file download and execution vulnerability is critical, according to Microsoft. The two other flaws are described as "moderate."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joris Evers

Computerworld
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender solutions stop attacks before they even begin! Get cybersecurity that 500 MILLION users already have and trust.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?