(1) MODERATE: Microsoft Internet Explorer File Extension Spoofing
Description: Internet Explorer (IE) contains a flaw in handling
filenames with specially crafted extensions. Specifically, extensions
containing a hex-encoded period character ("%2e") and an application
CLSID are not displayed properly by the browser during a file download
dialogue. The flaw allows an attacker to craft a CLSID-carrying filename
such that the filename appears to have a "safe" extension (e.g. .pdf)
when displayed by IE during download. Thus a web client can be tricked
into downloading and opening what looks like a "safe" file type,
while
the file actually contains malicious code. When the file is opened, IE
passes control to the Windows operating system. However, the OS does
not see the same "safe" file extension that was displayed by IE.
Instead, the OS processes the file according to the CLSID. For example,
a file named with the HTML application (HTA) CLSID will be executed as
an HTA file. In this way the web client can be tricked into downloading
and executing attacker-supplied code. Proof-
Status: Microsoft has not yet acknowledged the problem. No fixes are
currently available. However, exploitation is only possible if the
victim opens the malicious file directly from the download dialogue
(rather than saving the file to disk and then opening the saved file).
Reply With Quote
