Automatic MIME type detection in Internet Explorer 6.x allowed

[knight4vn () yahoo com]

Automatic MIME type detection in Internet Explorer 6.x allowed 
downloading executable file automatically

+Background:
  What's Internet Explorer automatic MIME type detection?
 - This feature was included in IE to detect exactly MIME type from 
file on server sending to browser
 by using FindMimeFromData method.

+Description:
-  I've found out that using Automatic MIME type detection, we can 
force IE to download any file 
(including excutable file) without user's knowledge by causing IE treat 
executable file as a image (jpg,gif..). 
Thus, IE automatically download the file regardless of the file type,  
and save it in "Temporary Internet Files" folder when user visit 
attacker's website.

+Exploitation:
   - Force user to download any executable files:
          _  Create a file named "app.exe" with  a head body contained 
any jpg file content
        to force IE MIME type detection recognize it as a image file.
          _   When user browse the website which contained the file 
we've just created.
        IE simply treat it as a image so it automatically save that file in 
Temporary folder.
         * This exploit can be found here:
        Open this link: http://sendmailplus.com/knight4vn/app1.exe
        Open this 
link: http://sendmailplus.com/knight4vn/app2.exe
        After that, check the 
appearance of "app1.exe" "app2.exe" in your "Temporary internet 
folder".
    - IE treat malicious javascript as a image:
        * This exploit can be found here:
        http://www.sendmailplus.com/knight4vn/js.gif
        
http://www.sendmailplus.com/knight4vn/js.jpg
        
http://www.sendmailplus.com/knight4vn/js.png

Discovered by: Knight Commander (knight4vn () yahoo com, 
knight4vn () vietcert com)