The file-extension spoof means that an attacker could lull a user into opening a malicious file from a Web site by making the file appear as a legitimate extension, such as a PDF or MPEG, researchers said on Wednesday.
In a security bulletin, Copenhagen-based security vendor Secunia Ltd. rated the vulnerability as "moderately critical" and said it affected IE 6 and possibly earlier versions of the Web browser, as well.
Users can avoid the vulnerability by first saving a download to a folder, rather than directly opening it, when prompted by IE. Saving the file reveals its true file name.
A Microsoft Corp. spokeswoman said the company is investigating the file-name spoofing vulnerability but could not say whether a fix would be ready at the same time as a planned patch for another IE spoofing vulnerability.
The other vulnerability, disclosed in December, could allow attackers to fake URLs in the Web browsers address bar and convince users to disclose sensitive information.
Microsoft officials have said they have a patch ready to fix that vulnerability but are testing it for multiple versions of IE on various platforms and for various languages.
As with the disclosure of the earlier IE spoofing vulnerability, a Microsoft spokeswoman criticized security researchers for not first informing the Redmond, Wash., company about the latest spoofing issue before disclosing it publicly.