Signature Detail

HTTP: Internet Explorer Save As Extension Hiding

This signature detects attempts to exploit a known vulnerability in Internet Explorer 5.0, 5.5, and 6.0. Attackers can use a double extension when creating a link to a file; this link can trick users into believing they are downloading a specific file type (HTML, BMP, HTA, etc.) when they are actually downloading a different file type (GIF, EXE, BAT, etc.). Using this method, attackers can place malicious code on a target computer, then use another exploit to run that code. Note: This signature can also produce false positives.

Extended Description

Microsoft Internet Explorer is reported susceptible to a filename extension spoofing vulnerability when utilizing the 'Save Image As' feature. Reportedly, this vulnerability is only possible when Internet Explorer is configured with 'Hide extension for known file types' enabled. This is the default configuration. This vulnerability may facilitate the spoofing of filename extensions, resulting in malicious content being inadvertently downloaded to vulnerable Web users. This issue may be related to BID 3597.

Affected Products

• Microsoft Internet Explorer 5.0
• Microsoft Internet Explorer 5.0.1
• Microsoft Internet Explorer 5.0.1 For Windows 2000
• Microsoft Internet Explorer 5.0.1 For Windows 95
• Microsoft Internet Explorer 5.0.1 For Windows 98
• Microsoft Internet Explorer 5.0.1 For Windows NT 4.0
• Microsoft Internet Explorer 5.0.1 SP1
• Microsoft Internet Explorer 5.0.1 SP2
• Microsoft Internet Explorer 5.0.1 SP3
• Microsoft Internet Explorer 5.0.1 SP4
• Microsoft Internet Explorer 5.0 For Windows 2000
• Microsoft Internet Explorer 5.0 For Windows 95
• Microsoft Internet Explorer 5.0 For Windows 98
• Microsoft Internet Explorer 5.0 For Windows NT 4.0
• Microsoft Internet Explorer 5.5
• Microsoft Internet Explorer 5.5 Preview
• Microsoft Internet Explorer 5.5 SP1
• Microsoft Internet Explorer 5.5 SP2
• Microsoft Internet Explorer 6.0
• Microsoft Internet Explorer 6.0 SP1

References

• BugTraq: 11768