Malicious FTP servers could target IE flaw

News

Malicious FTP servers could target IE flaw

Bill Brenner, News Writer

Internet Explorer users should stay away from unfamiliar File Transfer Protocol (FTP) servers to avoid potential attacks by way of a new vulnerability in the popular browser, security experts say.

According to an advisory from Danish security firm Secunia, researcher Albert Puigsech Galicia found a security hole in Internet Explorer malicious people could exploit to compromise vulnerable systems.

"The vulnerability is caused due to an input validation error in the handling of FTP file transfers," Secunia said. "This can be exploited by a malicious FTP server to create files in arbitrary locations via directory traversal attacks by tricking a user into downloading malicious files."

The firm said it confirmed the vulnerability on a fully patched system with Internet Explorer 6 and Microsoft Windows 2000 SP4 / XP SP1. Systems running Windows XP with SP2 are not affected.

Until the problem is fixed, Secunia recommends users avoid downloading files from untrusted FTP servers.

FTP, a standard Internet protocol, is the simplest way to exchange files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers e-mail, FTP uses the Internet's TCP/IP protocols. It is commonly used to transfer Web page files from their creator to the computer that acts as their server for everyone on the Internet. It's also commonly used to download programs and other files to your computer from other servers.

Galicia's full findings are available here.

This article originally appeared on SearchSecurity.com.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy