Re: Automatic MIME type detection in Internet Explorer 6.x allowed

[Thor Larholm <thor () polypath com>]

Denis Jedig wrote:

> If you change file headers to JPEGs, it's not an executable file any 
> more - that simple. 

When the file headers are JPEG it's no longer an executable file - for 
that specific HTTP session of that specific IEXPLORE instance. Outside 
those constraints, you have still managed to plant an EXE file in a 
known/predictable location on the target system.

> Even if it were, "downloading" something and placing it in temporary 
> files is not a vulnerability. Executing it is, but this can't happen 
> with the described mechanisms.

Not all vulnerabilities lead to immediate command or code execution. 
Being able to consistently place an executable file in a known location, 
however, is an important step in many browser exploit scenarios where 
you combine several weaknesses to produce the desirable outcome. OBJECT 
codeBase still allows you to execute files from a known location, you 
just have to find (yet another) weakness that allows you to circumvent 
zone boundaries and jump into e.g. HTML help or a whitelisted 
application such as MSN Messenger, both of which can allow codeBase to 
still function.

--
Thor Larholm