• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft Internet Explorer File Download Warning Bypass Vulnerability

It has been reported that Microsoft Internet Explorer may be prone to a vulnerability when handling file URIs that may be exploited to download a malicious file to the client system. It has been reported that by renaming a file, an attacker may be able to trick the browser, bypassing the security warning. An attacker may name a file in the following format to conceal the extension type from the browser:

http://www.example.com/file.exe?.html

Successful exploitation of this issue may allow an attacker to plant malicious files on vulnerable systems in order to execute malicious code.

This issue has reportedly been tested with Microsoft Internet Explorer running on a Windows 2003 Web Server edition platform, however, other versions are likely to be affected as well.