RealTime IT News

New IE Download Spoof Found

Security researchers on Wednesday released details of yet another spoofing flaw in Microsoft's Internet Explorer browser that could trick users into downloading malicious files.

The latest IE bug, which carries a "moderately critical" rating from tech security consulting firm Secunia, could allow malicious Web sites to spoof the file extension of downloadable files. Typically, an attacker could embed a CLS ID in a file name to fool users into opening malicious files as "trusted" file types.

Secunia has posted an online demonstration of the security hole.

The latest IE flaw, first reported by Secunia's Malware http-equiv list, affects Internet Explorer version 6. As a workaround, IE users are urged to avoid using the "open file" option when downloading a file. Instead, IE users are urged to save files to a folder as this reveals the suspicious filename.

Microsoft has confirmed the development of patches for several known IE vulnerabilities but the complicated testing process had led to a delay in the release of fixes.

Two of the more serious IE flaws that remain unpatched include a