[26845] in bugtraq
Origin of downloaded files can be spoofed in MSIE
daemon@ATHENA.MIT.EDU (Jouko Pynnonen)
Wed Aug 28 11:26:43 2002
Date: Wed, 28 Aug 2002 15:30:13 +0300 (EEST)
From: Jouko Pynnonen <jouko@solutions.fi>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0208281318410.13508-100000@lissu.solutions.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
OVERVIEW
========
Microsoft Internet Explorer contains a flaw which allows the origin of a
file shown in the download dialog to be spoofed. A download can be
initiated automatically by a web site or a mail message. If Internet
Explorer thinks the file isn't suitable to be opened directly, the user is
presented a download dialog which tells the file name and originating web
server. The user can then choose whether the file should be opened or
saved to disk, or can cancel the download. By exploiting this flaw the
web server name shown in this dialog can be freely chosen by the
initiator of the download.
The user could thus be tricked to believe a malicious file being
downloaded is coming from a trusted source and would be a useful or
necessary piece of software. If such file is opened, it could do anything
that the user could do on the system. There isn't any way to see the file
origin is spoofed, judging by what is seen in the download dialog.
DETAILS
=======
Technically this vulnerability is much similar to the "file extension
spoofing" vulnerability reported by Online Solutions Ltd in 2001. In both
cases a specially formed URL causes Internet Explorer to display wrong
information in the download dialog. In this case however the technical
behaviour of the download isn't affected - a malicious site can NOT cause
the downloaded file to be opened automatically. The user has to do the
decision to open or save the file.
SOLUTION
========
Microsoft was informed on July 5th. A patch correcting the flaw has been
published at Microsoft's site:
http://www.microsoft.com/technet/security/bulletin/MS02-047.asp
As a temporary workaround, file downloads can be always rejected even if
they seem to originate from a known, trusted website.
--
Jouko Pynnonen Online Solutions Ltd Secure your Linux -
jouko@solutions.fi http://www.solutions.fi http://www.secmod.com
