search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Internet Explorer execCommand() method SaveAs command uses misleading "Save HTML Document" dialog

Vulnerability Note VU#743974

Original Release Date: 2004-12-17 | Last Revised: 2004-12-17

Overview

Microsoft Internet Explorer contains a vulnerability in the way that it presents a Save As dialog. By invoking the SaveAs command with execCommand, an attacker could display a dialog that could trick a user into saving arbitrary content.

Description

Microsoft Internet Explorer (IE) supports a proprietary DHTML command called SaveAs, which saves the current document to a file. SaveAs is invoked by the execCommand method and can save any data that is displayed within the browser to a file. By setting the value of the appropriate SaveAs paramater, the full path and filename (including extension) can be specified.

Normally, the SaveAs command is used to save HTML documents. However, any file that can be displayed in a browser window can be saved to a file by the SaveAs command. Certain combinations of file extension and/or server-provided MIME type will cause IE to display binary data within the browser window. In such cases, SaveAs can be used to save an executable file to the local filesystem. The data to be saved could be contained within a hidden FRAME or IFRAME element.

The dialog presented by the SaveAs command has the following characteristics that facilitate an attacker's ability to deceive the user:

    1. The "Save as type" field of the dialog always displays "HTML File (*.htm; *.html)," regardless of the content that it is actually saving.
    2. Although the "Save as type" field indicates that it is saving an HTML file, it does not save a file with a .htm or .html extension.
    The default configuration for Windows is to hide the file extension for known file types. With file extensions hidden, a file called "file.html.exe" on the filesystem will appear as "file.html" in the save dialog and also in Windows Explorer.

    When downloading a file with Windows XP SP2, the user is normally presented with a dialog titled "File Download - Security Warning." When the SaveAs command is used to save a file, this security dialog is bypassed. In addition, Windows XP SP2 normally stores the zone information about downloaded files in an NTFS Alternate Data Stream. This is known as a Persistent Zone Identifier. Files saved with the SaveAs command do not contain this zone information. This means that the user will not be presented with the security warning dialog when an application saved with the SaveAs command is executed.

    Impact

    An attacker could convince a user to save an arbitrary file to a specific location on the local filesystem. This file could appear to be an HTML document, when it actually is an executable file.

    Solution

    Disable Active scripting
    Disabling Active scripting prevents execCommand from running. As a result, the SaveAs command will not execute, thus preventing the spoofed save dialog. Instructions for disabling Active scripting can be found in the Malicious Web Scripts FAQ. Note that disabling Active scripting will reduce the functionality of many web sites.

    Disable "Hide extensions for known file types"

    The default configuration for Windows is to hide the extensions for known file types. An attacker can take advantage of this by creating a file with double extensions. For example, "file.html.exe" will appear as "file.html" by default. This can allow executable files to masquerade as less dangerous file types. Configure Windows Explorer to show all file extensions. Displaying the actual file extension will make it easier to understand what type of file is being saved.

    Vendor Information

    743974
     

    Microsoft Corporation Affected

    Notified:  December 06, 2004 Updated: December 17, 2004

    Status

    Affected

    Vendor Statement

    We have not received a statement from the vendor.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    US-CERT has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base
    Temporal
    Environmental

    References

    Acknowledgements

    This vulnerability was reported by cyber flash.

    This document was written by Will Dormann.

    Other Information

    CVE IDs: None
    Severity Metric: 1.69
    Date Public: 2004-11-17
    Date First Published: 2004-12-17
    Date Last Updated: 2004-12-17 20:21 UTC
    Document Revision: 15

    Sponsored by CISA.