For those who don't have their http-equiv speak secret-decoder-ring with them, the GUID in this file extension causes the file to be treated as an HTML Application instead of the mpeg file it 'appears' to be. However, if you try out the 'demo', you'll see that you get prompted with the standard IE Open/Save dialog box that warns the user that opening files can be dangerous. That dialog doesn't list any file type for the file, MPEG or otherwise. The only thing that's misleading is that the file appears to have a .mpeg extension. If you save the file to disk, as opposed to opening it directly, then it's treated as a .mpeg, as you would expect. Personally I don't think this is much of an issue. This trick makes a file _sort_of_ appear to be of a different type than it actually is. Opening content from the web directly is dangerous, we all knew that already. For this trick to be used as an attack vector, a user must intervene and do something which is known to be dangerous, and labelled as such. IE should proabably display the correct file-type 'HTML Application' instead of leaving this part of the dialog blank. The real problem is that IE makes it far too easy for users to run executable content that's downloaded from the web. That's just a bad idea. Cheers, ~x > -----Original Message----- > From: http-equiv@excite.com [mailto:1@malware.com] > Sent: January 27, 2004 12:27 PM > To: bugtraq@securityfocus.com > Cc: NTBugtraq@listserv.ntbugtraq.com > Subject: GOOROO CROSSING: File Spoofing Internet Explorer 6 > > > > > Tuesday, January 27, 2004 > > Trivial file spoofing in Internet Explorer 6.0.2800.1106 and all > of 'its' patches to date on WIN XP [probably others]: > > Content-Disposition: attachment; > filename=malware.{3050f4d8-98B5- > 11CF-BB82-00AA00BDCE0B}fun_ball_gites_pie_throw%2Empeg" > > Absolute bare minimum working demo [perhaps even feeble] as we > are absolutely confident the self-appointed resident gooroo will > be along shortly handing out packets of two cents to everyone > thus saving us the effort to illustrate in even greater detail > to those lacking imagination: > > http://www.malware.com/gooroo.html End Call -- http://www.malware.com --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.558 / Virus Database: 350 - Release Date: 02/01/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.558 / Virus Database: 350 - Release Date: 02/01/2004
