ISS X-Force Database: ie-mac-downloaded-file-execution(7336): Microsoft Internet Explorer for Mac OS X could allow the automatic execution of downloaded files

Microsoft Internet Explorer for Mac OS X could allow the automatic execution of downloaded files

ie-mac-downloaded-file-execution (7336)

High Risk

Description:

Microsoft Internet Explorer for Mac OS X could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the way Internet Explorer and Mac OS X handle downloaded BinHex and MacBinary file types. A remote attacker can exploit this vulnerability by hosting a malicious BinHex or MacBinary file on a Web site, that once downloaded, the malicious file would be executed automatically on the victim's system.

Consequences:

Gain Access

Remedy:

Apply the "Internet Explorer 5.1 Security Update" for your system, available from the AppleCare Web site. See References.

For Internet Explorer 5.1 for Macintosh OS X:
Microsoft originally provided a patch for this vulnerability in MS01-053, but it was superseded by the patch released with MS02-019. See References.

References:

AppleCare Web site: Welcome to AppleCare!.
CIAC Information Bulletin M-013: Mac OS X Downloading Applications Vulnerability.
Microsoft Security Bulletin MS01-053: Downloaded Applications Can Execute on Mac IE 5.1 for OS X.
Microsoft Security Bulletin MS02-019: Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute (Q321309).
BID-3471: Microsoft IE 5.1 for Mac OS X 10.1 Download Execution Vulnerability
CVE-2001-0720: Internet Explorer 5.1 for Macintosh on Mac OS X allows remote attackers to execute arbitrary commands by causing a BinHex or MacBinary file type to be downloaded, which causes the files to be executed if automatic decoding is enabled.

Platforms Affected:

Microsoft Internet Explorer 5.1

Reported:

Oct 23, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page