Internet Explorer File Download Extension Spoofing

http-equiv has identified a vulnerability in Internet Explorer, allowing malicious web sites to spoof the file extension of downloadable files.

The problem is that Internet Explorer can be tricked into opening a file, with a different application than indicated by the file extension. This can be done by embedding a CLSID in the file name. This could be exploited to trick users into opening "trusted" file types which are in fact malicious files.

Secunia has created an online test:
http://secunia.com/Internet_Explorer_File_Download_Extension_Spoofing_Test/

This has been reported to affect Microsoft Internet Explorer 6.

NOTE: Prior versions may also be affected.

Source:
Secunia

Other thing, Microsoft plan to launch a patch to disallow the format  username and password in the URL, like user:password@mysite.com.

"This decision (to remove the behavior) has been a long time coming. Removing this feature will go a long way towards preventing IE users from being taken by phishing scams," said WhiteHat Security founder Jeremiah Grossman. As more IE users patch, phishing scammers will need to resort to other methods."

Phishing schemes are socially engineered attacked intended for the sole purpose of obtaining site passwords, credit card numbers and other personally identifiable information.

Commenting on its decision, a Microsoft spokesperson told BetaNews, "This change in functionality will improve user security because the use of this URL syntax can potentially expose the user's name and password in plain text within the URL for the displayed page. An example of the security danger is that in a cross-frame or hidden-frame scenario, script in pages from visited Web sites can easily access the URL, parse it, and determine the username and password for other sites."

From: Betanews

 

1 Comment

  • What exactly did they discovered? That ContentType dictates the type of an HTTP resource, not a "file extension"? That's the way it should be, all browsers do that. Or do you think IE should display an .aspx page generating an image/png response as a text (which is the actual content type of an .aspx extension in WinXP)? The only problem is IE's UI design, where it doesn't tell the user what type the file is, but then IE has more important issues to fix (such as ignoring ContentType header in some cases).

Comments have been disabled for this content.