Microsoft Internet Explorer download dialog may not display complete filenames

Overview

There is a vulnerability in the download dialog box in Internet Explorer versions 5.5 and 6.0. The vulnerability allows an attacker to mislead users, causing them to inadvertently execute arbitrary code on the user’s system.

Description

When downloading files included in web pages, users are often presented (depending on their security zone configuration) with a dialog box, requesting authorization to open or save the file. If an attacker includes certain malicious characters in the filename, the dialog box presented to the user may include misleading information about the nature of the file. In particular, the attacker may be able to cause a portion of the filename (such as the file extension) to not be included in the dialog box. An example exploit might cause an executable file to be presented as an image or a text file. If the user chooses to open (run) the file based on its filename, they may inadvertently execute arbitrary code supplied by the attacker.

The default setting of the dialog box is to “save” the file rather than “open” it. Users who accept the default option would only save the malicious code to their local systems. In order for the code to be executed, the user would have to intentionally execute the program by clicking “open.”

This attack may occur in a malicious web page or in an HTML email message.

---

Impact

Attackers can manipulate file extensions to alter the behavior of a download dialog box, thus misleading users into executing arbitrary code. Any such code would run with the privileges of the user who initiated the download.

---

Solution

Apply a patch from your vendor

Microsoft has released a cumulative patch for Internet Explorer, correcting this vulnerability and several others. For more information about the patch and the vulnerabilities, please see Microsoft Security Bulletin MS01-058:

<http://www.microsoft.com/technet/security/bulletin/MS01-058.asp&gt;

---

Disable file downloads in untrusted security zones

You can prevent the misleading dialog box from being presented to the user by disabling file downloads in untrusted security zones.

---

Vendor Information

457787

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft __ Affected

Updated: December 17, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft has published an advisory describing this vulnerability and two others (VU#443699 & VU#112475) at:

<http://www.microsoft.com/technet/security/bulletin/MS01-058.asp&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23457787 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.microsoft.com/technet/security/bulletin/MS01-058.asp&gt;
• <http://www.securityfocus.com/bid/3597&gt;

Acknowledgements

Microsoft has publicly acknowledged Jouko Pynnonen of Oy Online Solutions Ltd as the reporter of this vulnerability.

This document was written by Cory F. Cohen.

Other Information

CVE IDs:	CVE-2001-0875
Severity Metric:	6.90 Date Public: