[CS-FSLUG] Microsoft Internet Explorer "Save Picture As" Image Download Spoofing Vulnerability
Fred A. Miller
fmiller at lightlink.com
Fri Nov 26 08:49:33 CST 2004
Microsoft Internet Explorer "Save Picture As" Image Download Spoofing
Vulnerability
SECUNIA ADVISORY ID:
SA13317
VERIFY ADVISORY:
http://secunia.com/advisories/13317/
CRITICAL:
Moderately critical
IMPACT:
Spoofing
WHERE: From remote
SOFTWARE:
Microsoft Internet Explorer 6
http://secunia.com/product/11/
DESCRIPTION:
cyber flash has discovered a vulnerability in Microsoft Internet
Explorer, which can be exploited by malicious people to trick users
into downloading malicious files.
The vulnerability is caused due to Internet Explorer using the file
extension from the URL's filename when saving images with the "Save
Picture As" command and also strips the last file extension if
multiple file extensions exist. This can be exploited by a malicious
web site to cause a valid image with malicious, embedded script code
to be saved with an arbitrary file extension.
Successful exploitation may allow a malicious web site to trick users
into downloading e.g. a malicious HTML Application (.hta) masqueraded
as a valid image. However, exploitation requires that the option
"Hide extension for known file types" is enabled (default setting).
The vulnerability has been confirmed on a fully patched system with
Internet Explorer 6.0 and Microsoft Windows XP SP2.
NOTE: A PoC (Proof of Concept) is publicly available.
SOLUTION:
Disable the "Hide extension for known file types" option.
PROVIDED AND/OR DISCOVERED BY:
cyber flash
OTHER REFERENCES:
"Right-Clicking, Selecting 'Save Picture As' Does Not Save Image with
Correct Extension":
http://support.microsoft.com/kb/250747
--
"Democracy is two wolves and a lamb voting on what to
have for lunch. Liberty is a well-armed lamb contesting the
vote." - Benjamin Franklin 1759
More information about the Christiansource
mailing list