Microsoft Internet Explorer (MSIE) Content-Disposition vulnerabilities

ID VU:916795
Type cert
Reporter CERT
Modified 2003-09-18T00:00:00



Microsoft Internet Explorer (IE) may handle executable content automatically, opening it with another application on the client host that may, in turn, instruct the operating system to execute the file.


IE does not properly verify the Content-Disposition and Content-Type headers of downloaded files. As a result, it may be manipulated to open an executable file with forged Content-Disposition and Content-Type headers, using the helper application associated with the MIME type specified by the forged headers.


Arbitrary code in the malicious file may be executed, with privileges of the client user.


Apply a patch from your vendor

See Microsoft Security Bulletin MS02-023 for more information:


Systems Affected

Vendor| Status| Date Notified| Date Updated
Microsoft Corporation| | 30 May 2002| 04 Jun 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A


  • <>
  • <>


Thanks to Microsoft for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: CAN-2002-0193
  • Date Public: 15 May 2002
  • Date First Published: 24 Sep 2002
  • Date Last Updated: 18 Sep 2003
  • Severity Metric: 12.38
  • Document Revision: 16