Story from vunet.com:
Details of a vulnerability in Microsoft’s Internet Explorer (IE) browser were released today after a 30-day ‘cooling off’ period to allow users to install the patch.
Depending on who you talk to, the bug reported on security mailing lists on 14 December is either the biggest hole ever to be found in IE or just an everyday glitch.
But the crux of the vulnerability is that by simply placing the characters %00, otherwise known as a null byte, into a filename on a maliciously configured web server, a user could be tricked into opening dangerous content.
Online Solutions, the security firm credited with discovering the flaw, explained that a filename such as ‘README.TXT%00PROG.EXE’ would appear to open Readme.txt but, in reality, could open the potentially malicious Prog.exe.
Combine this with another issue in the content disposition header and Mime type, and the browser could be tricked into downloading and running a program without any download dialogs or warnings at all.
Microsoft has acknowledged that IE versions 5.5 and 6 are vulnerable and has given the flaw a ‘critical’ rating.
This post has no feedback yet.
Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to
vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.
|2002-01-16 09:03 CET|