|Ασφάλεια|Two vulnerabilities have been discovered in Internet Explorer, which can be exploited by malicious people to bypass a security feature in Microsoft Windows XP SP2 and trick users into downloading malicious files.
Critical: Moderately critical

Impact: Security Bypass, Spoofing

Where: From remote

Solution Status: Unpatched

Software: Microsoft Internet Explorer 6



Description:

1) Microsoft Windows XP SP2 has a security feature which warns users when opening downloaded files of certain types. The problem is that if the downloaded file was sent with a specially crafted "Content-Location" HTTP header in some situations, then no security warning will be given to the user when the file is opened.



2) An error when saving some documents using the Javascript function "execCommand()", can be exploited to spoof the file extension in the "Save HTML Document" dialog.



Successful exploitation requires that the option "Hide extension for known file types" is enabled (default setting).



A combination of vulnerability 1 and 2 can be exploited by a malicious website to trick a user into downloading a malicious executable file masqueraded as a HTML document.



The vulnerabilities have been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.



Solution:

Disable Active Scripting support and the "Hide extension for known file types" option.



There's a demo of these problems, here http://insecure.hopto.org:53/