OVERVIEW ======== Microsoft Internet Explorer contains a flaw which allows the origin of a file shown in the download dialog to be spoofed. A download can be initiated automatically by a web site or a mail message. If Internet Explorer thinks the file isn't suitable to be opened directly, the user is presented a download dialog which tells the file name and originating web server. The user can then choose whether the file should be opened or saved to disk, or can cancel the download. By exploiting this flaw the web server name shown in this dialog can be freely chosen by the initiator of the download. The user could thus be tricked to believe a malicious file being downloaded is coming from a trusted source and would be a useful or necessary piece of software. If such file is opened, it could do anything that the user could do on the system. There isn't any way to see the file origin is spoofed, judging by what is seen in the download dialog. DETAILS ======= Technically this vulnerability is much similar to the "file extension spoofing" vulnerability reported by Online Solutions Ltd in 2001. In both cases a specially formed URL causes Internet Explorer to display wrong information in the download dialog. In this case however the technical behaviour of the download isn't affected - a malicious site can NOT cause the downloaded file to be opened automatically. The user has to do the decision to open or save the file. SOLUTION ======== Microsoft was informed on July 5th. A patch correcting the flaw has been published at Microsoft's site: http://www.microsoft.com/technet/security/bulletin/MS02-047.asp As a temporary workaround, file downloads can be always rejected even if they seem to originate from a known, trusted website. -- Jouko Pynnonen Online Solutions Ltd Secure your Linux - jouko@solutions.fi http://www.solutions.fi http://www.secmod.com
