This probably isn't the best way to post this report. I'd prefer a verifiable source. Thanks, Scott "AARG! Anonymous" wrote: > > NIPC Daily Report 27 November 2001 > > NOTE: Please understand that this is for informational purposes only > and does not constitute any verification of the information contained in > the report nor does this constitute endorsement by the NIPC or the FBI. > > Significant Changes and Assessment - There is a vulnerability in > Microsoft Internet Explorer that allows a malicious Web site to spoof > file extensions in the download dialog to make an executable program > file look like a text, image, audio or other file. The user will see a > dialog window open, asking if the user wants to OPEN or SAVE. Should > the user decide to OPEN the file, the file will run without further > prompting. If the code is executable, no matter what the extension, the > program will run on the users system, allowing the program full use of > the users system. This does not require any scripting turned on at all > but can be called via javascript, inside an iframe, or even as a normal > link. > ... -- Scott Elam Sun Microsystems SunIT, Network Security Group, SunCERT
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:35:15 PDT