New IE Download Spoof Found

Security researchers on Wednesday released details of yet another spoofing flaw in Microsoft’s Internet Explorer browser that could trick users into downloading malicious files.

The latest IE bug, which carries a “moderately critical” rating from tech security consulting firm Secunia, could allow malicious Web sites to spoof the file extension of downloadable files. Typically, an attacker could embed a CLS ID in a file name to fool users into opening malicious files as “trusted” file types.

Secunia has posted an online demonstration of the security hole.

The latest IE flaw, first reported by Secunia’s Malware http-equiv list, affects Internet Explorer version 6. As a workaround, IE users are urged to avoid using the “open file” option when downloading a file. Instead, IE users are urged to save files to a folder as this reveals the suspicious filename.

Microsoft has confirmed the development of patches for several known IE vulnerabilities but the complicated testing process had led to a delay in the release of fixes.

Two of the more serious IE flaws that remain unpatched include a URL spoofing bug that could be used by “phishers” to trick unsuspecting surfers into give up sensitive information, including credit card and social security numbers.

Last November, an independent security researcher also issued a warning for five potentially serious IE vulnerabilities could lead to system access, exposure of sensitive information, cross site scripting and security bypass. That flaw has not yet been patched.

Separately, Microsoft confirmed it was investigating reports of a security hole in the Windows XP operating system that could let attackers construct a malicious folder to make Windows Explorer execute malicious code on a user’s system.

A Microsoft spokesperson told internetnews.com the company was “aggressively investigating” the warning from http-equiv, adding that the appropriate action will be taken to protect customers either as a monthly patch or via an out-of-cycle release.