1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Internet Explorer Vulnerability: Dec 13

Discussion in 'Web & Email' started by eddie5659, Dec 14, 2001.

Thread Status:
Not open for further replies.
  1. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Mar 19, 2001

    Cumulative Patch for IE

    The first vulnerability involves a flaw in the handling of the
    Content-Disposition and Content-Type header fields in an HTML.
    stream. These fields, the hosting URL, and the hosted file data
    determine how a file is handled upon download in Internet
    Explorer. A security vulnerability exists because, if an
    attacker altered the HTML header information in a certain way,
    it could be possible to make IE believe that an executable file
    was actually a different type of file -- one that it is
    appropriate to simply open without asking the user for
    confirmation. This could enable the attacker to create a web
    page or HTML mail that, when opened, would automatically run an
    executable on the user's system. This vulnerability affects
    IE 6.0 only. It does not affect IE 5.5.

    - The second vulnerability is a newly discovered variant of the
    "Frame Domain Verification" vulnerability discussed in Microsoft
    Security Bulletin MS01-015. The vulnerability could enable a
    malicious web site operator to open two browser windows, one in
    the web site's domain and the other on the user's local file
    system, and to pass information from the latter to the former.
    This could enable the web site operator to read, but not change,
    any file on the user's local computer that could be opened in a
    browser window. This vulnerabilty affects both IE 5.5 and 6.0.

    - The third vulnerability involves a flaw related to the display
    of file names in the File Download dialogue box. When a file
    download is initiated, a dialogue provides the name of the file.
    However, in some cases, it would be possible for an attacker to
    misrepresent the name of the file in the dialogue. This could be
    invoked from a web page or in an HTML email in an attempt to
    fool users into accepting unsafe file types from a trusted
    source. This vulnerabilty affects both IE 5.5 and 6.0.



As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/61707

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice