New IE flaw could hide malicious script behind a JPG
By Matt Whipp
Posted on 26 Nov 2004 at 15:45
Another flaw in IE has been discovered that could be used to dupe users into downloading scripts.
Finnish security company Secunia describes the flaw - discovered by an outfit called cyber flash - as 'moderately critical'.
The problem occurs in the way Internet Explorer 6 displays the filename of a image to be downloaded using the 'Save Picture As' command. The dialog box that subsequently pops up only shows the URL of the file and the first file extension. So the file that is displayed as being downloaded may appear to be a harmless jpeg, but in fact include script code. And the true nature of, say, a malicious HTML Application (.hta) will be hidden by default on Windows XP system for which the 'Hide extension for known file types' setting is enabled by default.
Secunia says the bug has been verified on Windows XP systems that are fully up to date and running Service Pack 2.
Microsoft offers a workaround for the problem on its Knowledge Base.
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Is Microsoft mismanaging Windows on ARM?
- Dealing with spam surrogates
- Why 3G broadband can be better and cheaper than ADSL
- Is Twitter bad for business?
- Publishing your email address isn't a security disaster
- Why you'll need a fax machine to develop iOS apps
- Learning to adapt to the mobile web
- Why you shouldn't use WPS on your Wi-Fi network
- Disabled users suffer when software breaks the rules
advertisement
