Microsoft Internet Explorer execCommand bypass download warnings

ie-execommand-warning-bypass (18181) The risk level is classified as HighHigh Risk

Description:

Microsoft Internet Explorer 6.0 running on Windows XP could allow a remote attacker to bypass the 'File Download' and 'File Open' security warnings and download arbitrary files to a victim's system. If the 'Hide file extensions for known file types' option is enabled, which is the default setting, a remote attacker could create a specially-crafted HTTP 404 Not Found error message Web page that invokes the execCommand function to spoof the file extension in the "Save HTML Document " dialog. This could allow the attacker to download arbitrary files to the victim's system, once the malicious Web page is visited.

Platforms Affected:

  • Microsoft, Internet Explorer 6
  • Microsoft, Windows XP SP2

Remedy:

No remedy available as of November 29, 2008.

Consequences:

Gain Access

References:

  • BugTraq Mailing List, Fri Nov 19 2004 - 23:50:23 CST, Microsoft Internet Explorer 6 SP2 Vulnerabilities / Full disclosure Vs. Security by Obscurity... at http://archives.neohapsis.com/archives/bugtraq/2004-11/0260.html.
  • BID-11686: Microsoft Internet Explorer File Download Security Warning Bypass Vulnerability
  • CVE-2004-1331: The execCommand method in Microsoft Internet Explorer 6.0 SP2 allows remote attackers to bypass the File Download - Security Warning dialog and save arbitrary files with arbitrary extensions via the SaveAs command.
  • SA13203: Microsoft Internet Explorer Two Vulnerabilities
  • US-CERT VU#743974: Microsoft Internet Explorer execCommand() method SaveAs command uses misleading Save HTML Document dialog

Reported:

Nov 19, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page