HTTP: Internet Explorer Save As Extension Hiding
This signature detects attempts to exploit a known vulnerability in Internet Explorer 5.0, 5.5, and 6.0. Attackers can use a double extension when creating a link to a file; this link can trick users into believing they are downloading a specific file type (HTML, BMP, HTA, etc.) when they are actually downloading a different file type (GIF, EXE, BAT, etc.). Using this method, attackers can place malicious code on a target computer, then use another exploit to run that code. Note: This signature can also produce false positives.
Extended Description
Microsoft Internet Explorer is reported susceptible to a filename extension spoofing vulnerability when utilizing the 'Save Image As' feature. Reportedly, this vulnerability is only possible when Internet Explorer is configured with 'Hide extension for known file types' enabled. This is the default configuration. This vulnerability may facilitate the spoofing of filename extensions, resulting in malicious content being inadvertently downloaded to vulnerable Web users. This issue may be related to BID 3597.
Affected Products
Microsoft internet_explorer
References
BugTraq: 11768
Short Name
HTTP:EXPLOIT:IE-SAVE-AS-HIDE
Severity
Minor
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
As Explorer Extension Hiding Internet Save bid:11768
Release Date
12/02/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Occasionally
Vendors
Microsoft