Another IE Spoofing Hole Found

 
 
By Matthew Hicks  |  Posted 2004-01-28 Print this article Print
 
 
 
 
 
 
 

The latest Internet Explorer vulnerability could let an attacker hide the file extension of a malicious file download. Users can avoid the threat by saving files first.

Security researchers are warning of another spoofing vulnerability in Internet Explorer, this time one that allows an attacker to mask the true file extension of malicious downloads. The file-extension spoof means that an attacker could lull a user into opening a malicious file from a Web site by making the file appear as a legitimate extension, such as a PDF or MPEG, researchers said on Wednesday. In a security bulletin, Copenhagen-based security vendor Secunia Ltd. rated the vulnerability as "moderately critical" and said it affected IE 6 and possibly earlier versions of the Web browser, as well.
Users can avoid the vulnerability by first saving a download to a folder, rather than directly opening it, when prompted by IE. Saving the file reveals its true file name.
A Microsoft Corp. spokeswoman said the company is investigating the file-name spoofing vulnerability but could not say whether a fix would be ready at the same time as a planned patch for another IE spoofing vulnerability. The other vulnerability, disclosed in December, could allow attackers to fake URLs in the Web browsers address bar and convince users to disclose sensitive information. Microsoft officials have said they have a patch ready to fix that vulnerability but are testing it for multiple versions of IE on various platforms and for various languages. Read more here about Microsofts elusive IE spoofing patch. As with the disclosure of the earlier IE spoofing vulnerability, a Microsoft spokeswoman criticized security researchers for not first informing the Redmond, Wash., company about the latest spoofing issue before disclosing it publicly.
 
 
 
 
Matthew Hicks As an online reporter for eWEEK.com, Matt Hicks covers the fast-changing developments in Internet technologies. His coverage includes the growing field of Web conferencing software and services. With eight years as a business and technology journalist, Matt has gained insight into the market strategies of IT vendors as well as the needs of enterprise IT managers. He joined Ziff Davis in 1999 as a staff writer for the former Strategies section of eWEEK, where he wrote in-depth features about corporate strategies for e-business and enterprise software. In 2002, he moved to the News department at the magazine as a senior writer specializing in coverage of database software and enterprise networking. Later that year Matt started a yearlong fellowship in Washington, DC, after being awarded an American Political Science Association Congressional Fellowship for Journalist. As a fellow, he spent nine months working on policy issues, including technology policy, in for a Member of the U.S. House of Representatives. He rejoined Ziff Davis in August 2003 as a reporter dedicated to online coverage for eWEEK.com. Along with Web conferencing, he follows search engines, Web browsers, speech technology and the Internet domain-naming system.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel