Re: MSIE may download and run progams automatically - NOT SO FAST

Date: 12/16/01

Date:         Sat, 15 Dec 2001 16:40:06 -0800
From: "" <http-equiv@EXCITE.COM>

Saturday, December 15, 2001

"Jouko Pynnonen" <> wrote in message

> Microsoft was initially contacted on November 19th with the information
> regarding the "file extension spoofing" problem. The Security Warning
> dialogs of IE5 could be bypassed with that exploit, but the "automatically

> start an .exe" variation of the vulnerability wasn't known at the time.
> Microsoft didn't consider the file extension spoofing problem a security
> vulnerability. The company was informed about the new variation on
> November 27th and started working on a patch to correct the flaw. The
> patch is now out and downloadable on Microsoft's site at

She and her beta team forgot about *the* most important Content-Type:

Clearly what this so-called "patch" does is convert all embedded file types
in MHTML documents viewed in patched Internet Explorer 6 into *.TMP files.
Previously all file types and file names were retained and if accepted would

What that means is when prompted for 'opening or saving', [screen shot: 14KB], if your hand should slip or if
you do not know any better and select 'open', because the file extension is
*.TMP, you will be asked 'what do you want to open the file with' (screen
shot: 20KB) which does indeed kill any
accidental or running of the file.

Working example:

[open in IE6 "patched"] 11KB

Before the patch and under an MTHML file situated on the web site and viewed
with Internet Explorer 6, you would be in a position to manipulate the file
extension and download box as displayed here:
[screen shot: 27KB]

Now with the so-called "patch", regardless of the filename="malware.exe" or
the Content-Type: image/gif; combination, everything is effectively
converted to a *.TMP file in the Temporary Internet File. Attempting to open
the *.TMP, depending on what it is will either bring up the 'what do you
want to open the file with' box, or display the file as plain text.

Dangerous files such as *.exe or *.scr or *.bat simply will not run if you
elect to run the file through the Internet Explorer 6 patched browser.
Sounds good.

Unfortunately, while she did a fairly reasonable job on this so-called
"patch" she forgot one of the most important content-types. Her very own
invention. The one and only:

Content-Type: application/hta;

We are still able to invoke a download, that if accepted will execute our
malware on the target computer, through the "patched" Internet Explorer 6.

This newly found creation of download file conversion through MHTML to
generic *.TMP file name on the download box coupled with the 'supposed'
security of this so-called "patch" will most definitely yield plenty of
quick prey:

Working Example:

[self explanatory includes harmless *.exe, open in IE6 "patched"] 4KB


1. We note that this patch has zero effect on Outlook Express 6 and the
ability to "spoof" file names [see:].
Coming up 17 months and counting now.
2. Workhorse: Windows 98 and Internet Explorer 6.0.2600 and this so-called
3. Seasons Greetings to Everyone. Yeah you too, incompetent slobs.

End Call


______________________________________________________________________________ Send a friend your Buddy Card and stay in contact always with Excite Messenger

============================================================================ Delivery co-sponsored by Trend Micro, Inc. ============================================================================ BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000 Earn 5% rebate on licenses purchased for Trend Micro ScanMail for Microsoft Exchange 2000 between October 1 and November 16. ScanMail ensures 100% scanning of inbound and outbound traffic and provides remote software management. For program details or to download your 30-day FREE evaluation copy: