Users warned of Internet Explorer hole

News

Users warned of Internet Explorer hole

Microsoft has warned of a serious security issue in Internet Explorer through which an attacker can automatically store and execute a malicious program on a user's PC.

Microsoft said IE 6.0 has a bug in the way it handles the Content-Disposition and Content-Type HTML header fields on a Web page. These fields, together with the hosting URL and the hosted file details, determine how IE handles a file after download.

IE is supposed to show a security warning and ask the user what to do when a Web site offers an executable file for download. But through the exploit, an attacker could misrepresent an executable file as something else by altering the headers on a Web page or in an HTML e-mail message.

In a security bulletin describing the flaw, Microsoft said IE would then download and execute the program automatically. This would occur whenever the user visited a Web site or viewed an e-mail message exploiting the bug. In the case of e-mail, the user would be affected both within the preview pane in Outlook or by opening it in an e-mail client that uses IE, such as Outlook Express.

The flaw also exists in IE versions 5.5 and 5.0, according to Finnish security company Oy Online Solutions, which discovered the bug. The company said a user running service pack 2 (SP2) with IE 5.5 would not be affected.

"Somebody who is familiar with IE could be able to find the flaw," said a spokesman for Oy Online. "This should be made very public and users should upgrade IE."

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy