SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer (IE) 6 Lets Remote Users Cause Files to Be Downloaded and Executed Without the Knowledge or Consent of the Victim
SecurityTracker Alert ID:  1003839
SecurityTracker URL:  http://securitytracker.com/id/1003839
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 18 2002
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 6
Description:   Secure Net Service reported another file download vulnerability in Microsoft Internet Explorer (IE) version 6. A remote user can cause another target (victim) user to automatically download and execute a file without the knowledge or consent of the target user.

It is reported that the IE 6 vulnerability allows for downloading of a file and automatic execution of the downloaded file under several circumstances. Details of this flaw were not provided in the report.

It is reported that a remote user can create HTML content that, when accessed by a target (victim) user via IE 6, will cause a specified file to be downloaded and executed without the knowledge of the target user.

The vendor has reportedly been notified.

Impact:   A remote user can create HTML content that, when loaded by the target (victim) user, will cause a specified file to be dowloaded to the target user's host and then executed.
Solution:   No vendor solution was available at the time of this entry.

Secure Net Service has provided the following workaround:

Disable "File download" option from "Internet Option."

Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Microsoft Internet Explorer 6 Still Download And Execute ANY Program


SNS Advisory No.48

Microsoft Internet Explorer 6 Still Download And Execute ANY Program
Automatically

Problem first discovered: Wed, 13 Feb 2002
Published: Mon, 18 Mar 2002



Overview:

Microsoft Internet Explorer 6 contains a vulnerability which allows for
downloading of a file and automatic execution of it under several
circumstances. This occurs without the knowledge of the user. If a
malicious webmaster creates a malicious content which can exploit this
problem, and if the user accesses this content using Internet Explorer
6, then the program specified by the webmaster could be downloaded and
executed automatically on the user's system. 

Tested Versions:

Microsoft Internet Explorer 6 + all available fixes 

Tested OS:

Windows 2000 Professional + SP2 + SRP1 [Japanese]
Windows NT 4.0 Workstation + SP6a + all available fixes [Japanese]
Windows 98 + Windows 98 System Update + all available fixes [Japanese

Workaround:

Disable "File download" option from "Internet Option." 

Discovered by:

ARAI Yuu (LAC) y.arai@lac.co.jp

Vendor Status:

Microsoft was initially contacted on February 13th about this issue. It
has since passed a month but they haven't released a fix or anything to
solve this problem. We are concerned that a lot of users can be affected
by this, thus we have decided to release an advisory on this
vulnerability.

Disclaimer:

All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC