Microsoft said IE 6.0 has a bug in the way it handles the Content-Disposition and Content-Type HTML header fields on a Web page. These fields, together with the hosting URL and the hosted file details, determine how IE handles a file after download.
IE is supposed to show a security warning and ask the user what to do when a Web site offers an executable file for download. But through the exploit, an attacker could misrepresent an executable file as something else by altering the headers on a Web page or in an HTML e-mail message.
In a security bulletin describing the flaw, Microsoft said IE would then download and execute the program automatically. This would occur whenever the user visited a Web site or viewed an e-mail message exploiting the bug. In the case of e-mail, the user would be affected both within the preview pane in Outlook or by opening it in an e-mail client that uses IE, such as Outlook Express.
The flaw also exists in IE versions 5.5 and 5.0, according to Finnish security company Oy Online Solutions, which discovered the bug. The company said a user running service pack 2 (SP2) with IE 5.5 would not be affected.
"Somebody who is familiar with IE could be able to find the flaw," said a spokesman for Oy Online. "This should be made very public and users should upgrade IE."