Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Microsoft Internet Explorer Content-Type Field Arbitrary File Execution Vulne

Microsoft Internet Explorer Content-Type Field Arbitrary File Execution Vulne

by Nikola Strahija on February 14th, 2002 Microsoft Internet Explorer uses the Content-Type HTML header field to determine how to handle a file when downloading it from a website. A flaw exists in the way that Internet Explorer processes the Content-Type field. It would be possible to create a Content-Type field that would allow a file to be downloaded to the user's system and automatically executed with the appropriate application.


It is important to note that since Microsoft Outlook and Outlook Express use Internet Explorer to interpret HTML email messages, this vulnerability could also be exploited through HTML email or newsgroup postings.

Remote: Yes

Exploit: There is no exploit code.

Solution: Microsoft has released patches to address this issue:



Microsoft Internet Explorer 5.0.1SP2:

Microsoft Patch q316059_IE 5.01
http://download.microsoft.com/download/ie501sp2/secpac25/5.01_sp2/NT5/EN-US/q316059.exe

Microsoft Internet Explorer 5.5SP2:

Microsoft Patch q316059_IE 5.5SP2
http://download.microsoft.com/download/ie55sp2/secpac25/5.5_sp2/WIN98Me/EN-US/q316059.exe

Microsoft Internet Explorer 5.5SP1:

Microsoft Patch q316059_IE 5.5SP1
http://download.microsoft.com/download/ie55sp1/secpac25/5.5_sp1/WIN98Me/EN-US/q316059.exe

Microsoft Internet Explorer 6.0:

Microsoft Patch q316059_IE6
http://download.microsoft.com/download/IE60/secpac25/6/W98NT42KMeXP/EN-US/q316059.exe



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »