IE file download extension spoofing hole

In: Browsers

30 Jan 2004

InfoWorld reports on the new Internet Explorer security hole that allows file download extensions to be spoofed. The hole allows the site author to make it appear that a downloaded file is safe by spoofing it’s extension, when in fact it could be anything, including malicious executables.

Security company Secunia has a demo of this security hole over at their Internet Explorer File Download Extension Spoofing Test.

The author of the InfoWorld article goes so far as to say:

The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer’s viability as a browser.

The other aforementioned spoof issue is, of course, the URL spoofing vulnerability. Some good news on this front though, with reporting that Microsoft will fix this with an IE update to remove support for usernames in http urls.

Can’t say the damage hasn’t been done. Has it got your average non-technical Joe/Jane looking for alternative browsers? Maybe grandma is starting to ask for “a better Internet”? No one knows for sure, but I’m sure if this is publicized further in the mass media, there’ll be some very pleased converts.

3 Responses to IE file download extension spoofing hole



January 30th, 2004 at 2am

If a security problem ever becomes enough of a problem to seriously hit John Q. User I don’t think he’ll look at other browsers. (Barring, say, a big story on Mozilla and Opera on CNN.) They’ll just become afraid to do anything interactive over the internet.


Cheah Chu Yeow

January 30th, 2004 at 2am

While that may be true for grandma, I find it highly unlikely that most people would stop surfing or downloading stuff. Sure, there are people who become so afraid as to stay away, but my conjecture is that these people are few in number and mostly are those who are far too technically disinclined.

The Internet is pervasive and much a part of our lives – but you don’t need me to tell you that. Most people would either continue using IE, for all it’s flaws, or switch (which would be a much smaller proportion).



January 30th, 2004 at 1am

firebird 0.8
sta per essere rilasciata la versione 0.8 di firebird, la faccenda si fa interessante…