Story from vunet.com:
Details of a vulnerability in Microsoft’s Internet Explorer (IE) browser were released today after a 30-day ‘cooling off’ period to allow users to install the patch.
Depending on who you talk to, the bug reported on security mailing lists on 14 December is either the biggest hole ever to be found in IE or just an everyday glitch.
But the crux of the vulnerability is that by simply placing the characters %00, otherwise known as a null byte, into a filename on a maliciously configured web server, a user could be tricked into opening dangerous content.
Online Solutions, the security firm credited with discovering the flaw, explained that a filename such as ‘README.TXT%00PROG.EXE’ would appear to open Readme.txt but, in reality, could open the potentially malicious Prog.exe.
Combine this with another issue in the content disposition header and Mime type, and the browser could be tricked into downloading and running a program without any download dialogs or warnings at all.
Microsoft has acknowledged that IE versions 5.5 and 6 are vulnerable and has given the flaw a ‘critical’ rating.