Software Engineering Institute

Microsoft Internet Explorer (IE) supports a proprietary DHTML command called SaveAs, which saves the current document to a file. SaveAs is invoked by the execCommand method and can save any data that is displayed within the browser to a file. By setting the value of the appropriate SaveAs paramater, the full path and filename (including extension) can be specified.

Normally, the SaveAs command is used to save HTML documents. However, any file that can be displayed in a browser window can be saved to a file by the SaveAs command. Certain combinations of file extension and/or server-provided MIME type will cause IE to display binary data within the browser window. In such cases, SaveAs can be used to save an executable file to the local filesystem. The data to be saved could be contained within a hidden FRAME or IFRAME element.

The dialog presented by the SaveAs command has the following characteristics that facilitate an attacker's ability to deceive the user:

1. The "Save as type" field of the dialog always displays "HTML File (*.htm; *.html)," regardless of the content that it is actually saving.
2. Although the "Save as type" field indicates that it is saving an HTML file, it does not save a file with a .htm or .html extension.

An attacker could convince a user to save an arbitrary file to a specific location on the local filesystem. This file could appear to be an HTML document, when it actually is an executable file.

Disable Active scripting
Disabling Active scripting prevents execCommand from running. As a result, the SaveAs command will not execute, thus preventing the spoofed save dialog. Instructions for disabling Active scripting can be found in the Malicious Web Scripts FAQ. Note that disabling Active scripting will reduce the functionality of many web sites.

Disable "Hide extensions for known file types"

The default configuration for Windows is to hide the extensions for known file types. An attacker can take advantage of this by creating a file with double extensions. For example, "file.html.exe" will appear as "file.html" by default. This can allow executable files to masquerade as less dangerous file types. Configure Windows Explorer to show all file extensions. Displaying the actual file extension will make it easier to understand what type of file is being saved.