[20013] in bugtraq
Re: User may be fooled to execute programs browsing with IE5.1
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Jes=FAs_L=F3pez_de_)
Tue Apr 3 18:57:46 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <010c01c0bc15$98cc12e0$309451d4@servidor>
Date: Tue, 3 Apr 2001 10:10:50 +0200
Reply-To: =?iso-8859-1?Q?Jes=FAs_L=F3pez_de_Aguileta?= <aguileta@EUNATE.NET>
From: =?iso-8859-1?Q?Jes=FAs_L=F3pez_de_Aguileta?= <aguileta@EUNATE.NET>
X-To: Microsoft Security Response Center <secure@microsoft.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi Scott,
>I'm afraid the situation may not be what you believe. First, your
>system is not patched, despite what the dialogue says.
I have believed this dialog AFTER going to Cuatango's exploit page and tested
the 3 exploits. The 3 donīt work. I admit that I have IE5.01 without any SP but
trust me, this exploits donīt work in my system.
>We checked the code you provided below, and have verified that the
>behavior you're seeing is not a vulnerability. Although you're right
>that it's possible for a web site to initiate a file download, this
>is by-design behavior and is unrelated to the vulnerability discussed
>in MS01-020. A Q&A in the FAQ discusses the situation:
>-------- start ----------
>I heard that even after applying this patch, an e-mail could
>start a
>file download automatically. Is this true?
>Yes. However, this is not related to this vulnerability, and
>doesn't
>pose a security risk. It's always possible for an e-mail to start a
>file download, and of course the author of the mail can give the file
>a name that sounds innocuous. However, the file download cannot
>actually begin unless and until the user selects a location to which
>it should be downloaded, and clicks the OK button.
Yes, I've read it. But I still think here is a bug (not a serious
vulnerability).
You're right, IE always ask for download but this two questions have a different
meaning:
1) RUN this PROGRAM from its current location.
2) OPEN this FILE from its current location.
AFAIK, when IE detect and executable extension (exe, bat, vbs) always ask the
first question. Asking the second cuestion may confuse the user. Of course "the
author can give the file a name that sounds innocuous" , the problem is that IE
ask a question that sounds innocuous too.
It's only a concordance problem in all IE's message.
Thank you for you response.
Jesus Lopez de Aguileta
P.S: I'm downloading right know IE's SP1 for reapplying the patch ;)
