HTTP: Microsoft IE File Download Extension Spoofing
This signature detects attempts to exploit a known vulnerability against Microsoft Internet Explorer. A successful attack can lead to allow a malicious user to spoof the file extension of downloaded files.
Extended Description
A vulnerability has been reported in the Windows Shell that may allow files to be misrepresented to client users. The reported vulnerability involves specifying the CLSID for HTML applications in the name of a malicious file, followed by another file name and extension. This issue could be exploited to disguise executable content in the form of an HTML application (HTA) file as a file type that may appear innocuous to a victim user, such as a media file. The file will appear to be of an attacker-specified type in the file download dialog presented to the user. The user may then download/open that file under the assumption it is safe, which could result in execution of malicious code on the client system in the context of the victim user. A proof-of-concept was released which creates an embedded web interface to play a media file, which could further convince the user to open the malicious HTML application.
Affected Products
Avaya s8100_media_servers,Microsoft windows_nt_terminal_server
Short Name
HTTP:STC:IE:FILE-EXT-SPOOF
Severity
Minor
Recommended
True
Recommended Action
Drop
Category
HTTP
Keywords
CVE-2004-0420 Download Extension File IE Microsoft Spoofing bid:9510
Release Date
07/14/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3725
False Positive
Unknown
Vendors
Microsoft
Avaya
CVSS Score
10.0