Microsoft Internet Explorer Spoofable File Extensions Vulnerability

It is possible for a malicious webmaster, hosting files on an website, to spoof file extensions for users of Internet Explorer. For example, an .exe file can be made to look like a .txt (or other seemingly harmless file type) file in the Download dialog.

When including a certain string of characters between the filename and the actual file extension, IE will display the specified misleading file extension type.

The end result is that a malicious webmaster is able to entice a user to open or save arbitrary files to their local system.

* It has been reported that patched systems may still be vulnerable to this issue. If the attacker composes a .hta file, using the methods described above, it is possible for the malicious file to go undetected by patched systems.


Privacy Statement
Copyright 2010, SecurityFocus