Software Engineering Institute

When downloading files included in web pages, users are often presented (depending on their security zone configuration) with a dialog box, requesting authorization to open or save the file. If an attacker includes certain malicious characters in the filename, the dialog box presented to the user may include misleading information about the nature of the file. In particular, the attacker may be able to cause a portion of the filename (such as the file extension) to not be included in the dialog box. An example exploit might cause an executable file to be presented as an image or a text file. If the user chooses to open (run) the file based on its filename, they may inadvertently execute arbitrary code supplied by the attacker.

The default setting of the dialog box is to "save" the file rather than "open" it. Users who accept the default option would only save the malicious code to their local systems. In order for the code to be executed, the user would have to intentionally execute the program by clicking "open."

This attack may occur in a malicious web page or in an HTML email message.

Attackers can manipulate file extensions to alter the behavior of a download dialog box, thus misleading users into executing arbitrary code. Any such code would run with the privileges of the user who initiated the download.

Apply a patch from your vendor

Microsoft has released a cumulative patch for Internet Explorer, correcting this vulnerability and several others. For more information about the patch and the vulnerabilities, please see Microsoft Security Bulletin MS01-058:

http://www.microsoft.com/technet/security/bulletin/MS01-058.asp

Disable file downloads in untrusted security zones

You can prevent the misleading dialog box from being presented to the user by disabling file downloads in untrusted security zones.