When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Yet another hole in IE, but no fix yet!

Neowin · with -1 comments

Slashdot is all over this story, from NewsByte and SecurityFocus, where it is being reported that a serious vunerability was discoverred in IE on the 19th November, but as of today, Microsoft have not released a patch (although one is currently in testing but not details have been issued on this flaw). (BUT there are indeed details of this flaw and it's all over the net like a hot potato! Ed.)

The flaw was discovered by Jouko Pynnonen, a security researcher with Finland's Oy Online Solutions, and affects IE for Windows versions 5, 5.5, while version 6 is exploitable in a slightly different way, but the effect is the same.

The user gets a download dialog with the spoofed file name and extension, and can choose between "Open" and "Save". Opening the file causes the program to be run.

An IE5 with the latest updates shows the spoofed file name and extension without a sign of EXE, and issue no Security Warning dialog after the file download dialog.

Any way to skip all dialogs, ie. to run an application without ANY dialog with this vulnerability has NOT been found. In all variations of the exploit there is always the normal file download dialog, but the following Security Warning dialog is skipped.

According to Pynnonen, the vulnerability also may affect users of Microsoft's Outlook and Outlook Express e-mail readers, which rely on IE to display messages in Web-page or HTML format. Qualcomm's Eudora e-mail reader, which optionally uses IE for HTML display, could also be vulnerable, he said.

The flaw exists, in a nut shell, becuase IE treats both the filename of the file being downloaded AND the file's HTTP's ContentType header information as different items.

The download dialog gets based on the filename (example.doc), so this is what the user is shown, BUT IE, after the file has been downloaded, uses the ContentType to launch the file IF the "Open" option is used. So if the HTTP header reports the ContentType=application/octet-stream, IE, after the file has been downloaded, executes it! Ooch!

One user, Jonathan Lampe, posted on the SecurityFocus mailing list a successful exploit, and has produced a rather interesting example. Worth checking out.

News source: Slashdot

View: NewsByte article and the OnlineSolutions Security bulletin

View: SecurityFocus Mail List Archive - File Extensions Spoofable in MSIE download dialog with example of exploit in IE5

Report a problem with article
Next Article

Pressplay backs CD burning

Previous Article

AIM+

Join the conversation!

Login or Sign Up to read and post a comment.

-1 Comments - Add comment