Re: File extensions spoofable in MSIE download dialog

[static () tampabay rr com]

Other people have emailed me that the vulnerability I described causes IE6.0 to not give a security warning about 
executing the .exe like IE5.0 does.  In my testing with IE6.0, just clicking on an calc.exe directly does not even give 
a security warning either.  I dont know much about IE6.0 yet, so maybe someone else will have an answer that can 
explain why the default config of IE6.0 does not produce the security warning that older versions did when clicking on 
an .exe directly and choosing open.  The bigger issue to me is how vulnerable IE5.5 sp2.

And to keep people from emailing me telling me thier IE5.5 does have have the vulnerability I described using the 
readme.txt php script...  IE5.5 sp2 is the only version of IE5.5 that will run the executable without first prompting 
the user with the real .exe filename so far found(have not tested IE5.5 sp1).  It is rather interesting that IE5.5 
without any service pack does not have the vulnerability.  It appears sp2(maybe sp1?) broke something that made this 
vulnerability possible.

I have to wonder if this is a seperate vulnerability with IE5.5 sp2 than what the initial poster alerted us to.  Until 
he realeases more info I guess we will never know.

StatiC

On Fri, Nov 30, 2001 at 01:07:05PM +1100, Paul Szabo wrote:
> chef () cube blinx de wrote:
>
> > I testet it right now, with IE6; Q312461 / WinXP and i think
> > there is no problem at all.
> >
> > First a question for text.txt pops up and when i say "open"
> > a second message with question for save / open pops up.
> > This second popup tells the right name "calc.exe" .
> > Finally when i say "open" it opens the calculator.
> >
> > For testing: http://www.geilerserver.de/text.txt
>
> and static () tampabay rr com confirmed:
>
> > It appears only IE5.5 has this problem.  I just tested with IE5.0 sp2 and
> > IE6 and both of those version prompt and wait for user intervention for
> > readme.txt and then wait a second time while prompting to ask to
> > open/saveas calc.exe.
>
> I still see a problem with IE6. The first dialog says:
>
>   You are downloading text.txt ...
>   Open  Save  Cancel
>
> If I choose to save, then the file dialog shows the name calc.exe, but I may
> not pay attention to that; and when it finishes it says:
>
>   Download complete
>   Saved: calc.exe ...
>   Open  OpenFolder  Close
>
> and if I choose to open then it runs the rogue application. Unless the user
> pays attention to the names shown, he may unwittingly run the rogue
> application; there is no extra security popup.
>
> Cheers,
>
> Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
> School of Mathematics and Statistics  University of Sydney   2006  Australia