Users login

Create an account »


Users login

Home » Hacking News » Origin of downloaded files can be spoofed in MSIE

Origin of downloaded files can be spoofed in MSIE

by Nikola Strahija on August 28th, 2002 Microsoft Internet Explorer contains a flaw which allows the origin of a file shown in the download dialog to be spoofed. A download can be initiated automatically by a web site or a mail message. If Internet Explorer thinks the file isn't suitable to be opened directly, the user is presented a download dialog which tells the file name and originating web server.

The user can then choose whether the file should be opened or
saved to disk, or can cancel the download. By exploiting this flaw the
web server name shown in this dialog can be freely chosen by the
initiator of the download.

The user could thus be tricked to believe a malicious file being
downloaded is coming from a trusted source and would be a useful or
necessary piece of software. If such file is opened, it could do anything
that the user could do on the system. There isn't any way to see the file
origin is spoofed, judging by what is seen in the download dialog.


Technically this vulnerability is much similar to the "file extension
spoofing" vulnerability reported by Online Solutions Ltd in 2001. In both
cases a specially formed URL causes Internet Explorer to display wrong
information in the download dialog. In this case however the technical
behaviour of the download isn't affected - a malicious site can NOT cause
the downloaded file to be opened automatically. The user has to do the
decision to open or save the file.


Microsoft was informed on July 5th. A patch correcting the flaw has been
published at Microsoft's site:

As a temporary workaround, file downloads can be always rejected even if
they seem to originate from a known, trusted website.

Jouko Pynnonen Online Solutions Ltd Secure your Linux -
[email protected]

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »