Malicious FTP servers could target IE flaw

Users should stay away from untrusted FTP servers that could exploit a security hole in Microsoft's browser.

Internet Explorer users should stay away from unfamiliar File Transfer Protocol (FTP) servers to avoid potential attacks by way of a new vulnerability in the popular browser, security experts say.

According to an advisory from Danish security firm Secunia, researcher Albert Puigsech Galicia found a security hole in Internet Explorer malicious people could exploit to compromise vulnerable systems.

"The vulnerability is caused due to an input validation error in the handling of FTP file transfers," Secunia said. "This can be exploited by a malicious FTP server to create files in arbitrary locations via directory traversal attacks by tricking a user into downloading malicious files."

The firm said it confirmed the vulnerability on a fully patched system with Internet Explorer 6 and Microsoft Windows 2000 SP4 / XP SP1. Systems running Windows XP with SP2 are not affected.

Until the problem is fixed, Secunia recommends users avoid downloading files from untrusted FTP servers.

FTP, a standard Internet protocol, is the simplest way to exchange files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers e-mail, FTP uses the Internet's TCP/IP protocols. It is commonly used to transfer Web page files from their creator to the computer that acts as their server for everyone on the Internet. It's also commonly used to download programs and other files to your computer from other servers.

Galicia's full findings are available here.

This article originally appeared on

Read more on IT risk management