Skip navigation

Multiple Vulnerabilities in Microsoft Internet Explorer 6

Reported November 17, 2004, by cyber flash


  • Microsoft Internet Explorer (IE) 6.0

Two vulnerabilities have been discovered in IE that can be used to bypass a security feature in Windows XP Service Pack 2 (SP2) and trick users into downloading malicious files. These two vulnerabilities are:

  • Windows XP SP2 has a security feature that warns users when they open downloaded files of certain types. The problem is that, in some situations, users won't receive the security warning if the downloaded file was sent with a specially crafted Content-Location HTTP header.
  • An error when saving some documents using the Javascript execCommand() function can be exploited to spoof the file extension in the Save HTML Document dialog box.

Successful exploitation requires that the option "Hide extension for known file types" is enabled (default setting). A malicious Web site can combine these two vulnerabilites to trick a user into downloading a malicious executable file masquerading as a HTML document.

Microsoft has not released a fix or bulletin that addresses this vulnerability.

Discovered by cyber flash.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.