Another IE Spoofing Hole Found
The latest Internet Explorer vulnerability could let an attacker hide the file extension of a malicious file download. Users can avoid the threat by saving files first.Security researchers are warning of another spoofing vulnerability in Internet Explorer, this time one that allows an attacker to mask the true file extension of malicious downloads. The file-extension spoof means that an attacker could lull a user into opening a malicious file from a Web site by making the file appear as a legitimate extension, such as a PDF or MPEG, researchers said on Wednesday. In a security bulletin, Copenhagen-based security vendor Secunia Ltd. rated the vulnerability as "moderately critical" and said it affected IE 6 and possibly earlier versions of the Web browser, as well.
Users can avoid the vulnerability by first saving a download to a folder, rather than directly opening it, when prompted by IE. Saving the file reveals its true file name.