Users warned of Internet Explorer hole


Users warned of Internet Explorer hole

Microsoft has warned of a serious security issue in Internet Explorer through which an attacker can automatically store and execute a malicious program on a user's PC.

Microsoft said IE 6.0 has a bug in the way it handles the Content-Disposition and Content-Type HTML header fields on a Web page. These fields, together with the hosting URL and the hosted file details, determine how IE handles a file after download.

IE is supposed to show a security warning and ask the user what to do when a Web site offers an executable file for download. But through the exploit, an attacker could misrepresent an executable file as something else by altering the headers on a Web page or in an HTML e-mail message.

In a security bulletin describing the flaw, Microsoft said IE would then download and execute the program automatically. This would occur whenever the user visited a Web site or viewed an e-mail message exploiting the bug. In the case of e-mail, the user would be affected both within the preview pane in Outlook or by opening it in an e-mail client that uses IE, such as Outlook Express.

The flaw also exists in IE versions 5.5 and 5.0, according to Finnish security company Oy Online Solutions, which discovered the bug. The company said a user running service pack 2 (SP2) with IE 5.5 would not be affected.

"Somebody who is familiar with IE could be able to find the flaw," said a spokesman for Oy Online. "This should be made very public and users should upgrade IE."

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy