Overview
Microsoft Internet Explorer (IE) may handle executable content automatically, opening it with another application on the client host that may, in turn, instruct the operating system to execute the file.
Description
IE does not properly verify the Content-Disposition and Content-Type headers of downloaded files. As a result, it may be manipulated to open an executable file with forged Content-Disposition and Content-Type headers, using the helper application associated with the MIME type specified by the forged headers. |
Impact
Arbitrary code in the malicious file may be executed, with privileges of the client user. |
Solution
Apply a patch from your vendor See Microsoft Security Bulletin MS02-023 for more information: |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Microsoft for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
Other Information
| CVE IDs: | CVE-2002-0193 |
| Severity Metric: | 12.38 |
| Date Public: | 2002-05-15 |
| Date First Published: | 2002-09-24 |
| Date Last Updated: | 2003-09-18 19:04 UTC |
| Document Revision: | 16 |