There is a vulnerability in the download dialog box in Internet Explorer versions 5.5 and 6.0. The vulnerability allows an attacker to mislead users, causing them to inadvertently execute arbitrary code on the user's system.
When downloading files included in web pages, users are often presented (depending on their security zone configuration) with a dialog box, requesting authorization to open or save the file. If an attacker includes certain malicious characters in the filename, the dialog box presented to the user may include misleading information about the nature of the file. In particular, the attacker may be able to cause a portion of the filename (such as the file extension) to not be included in the dialog box. An example exploit might cause an executable file to be presented as an image or a text file. If the user chooses to open (run) the file based on its filename, they may inadvertently execute arbitrary code supplied by the attacker.
The default setting of the dialog box is to "save" the file rather than "open" it. Users who accept the default option would only save the malicious code to their local systems. In order for the code to be executed, the user would have to intentionally execute the program by clicking "open."
This attack may occur in a malicious web page or in an HTML email message.
Attackers can manipulate file extensions to alter the behavior of a download dialog box, thus misleading users into executing arbitrary code. Any such code would run with the privileges of the user who initiated the download.
Apply a patch from your vendor
Microsoft has released a cumulative patch for Internet Explorer, correcting this vulnerability and several others. For more information about the patch and the vulnerabilities, please see Microsoft Security Bulletin MS01-058:
Disable file downloads in untrusted security zones
You can prevent the misleading dialog box from being presented to the user by disabling file downloads in untrusted security zones.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Updated: December 17, 2001
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft has published an advisory describing this vulnerability and two others (VU#443699 & VU#112475) at:
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Group | Score | Vector
Base | |
Temporal | |
Environmental | |
Microsoft has publicly acknowledged Jouko Pynnonen of Oy Online Solutions Ltd as the reporter of this vulnerability.
This document was written by Cory F. Cohen.
CVE IDs: | CVE-2001-0875
Severity Metric: | 6.90
Date Public: | 2001-12-13
Date First Published: | 2001-12-14
Date Last Updated: | 2002-01-03 21:09 UTC
Document Revision: | 23