Security Firm Warns Of New Download Flaw In IE

The Danish security company Secunia posted a "moderately critical" alert detailing the vulnerability, which could allow hackers to fool users into downloading malicious files. The problem affects Internet Explorer 6, said Secunia in its alert, but earlier editions may also be at risk.

By embedding a CLSID (CLasS ID, the identifier of COM objects in Microsoft's COM architecture) in the file name, attackers could disguise a malicious file as something users normally trust. After enticing users to their Web sites -- often done by inserting a link in an e-mail message -- attackers could, for instance, get recipients to download what appears to be a Word document but which in fact is a Trojan horse, key logger or even a worm, such as the still-spreading Mydoom.

Secunia recommended that users do not use the open file option when downloading a file from suspicious Web sites, but instead save the file to disk to see the true file type before running.

The new spoofing tactic would be especially effective if combined with an earlier IE vulnerability that lets hackers disguise the identity of a Web site by showing a bogus URL in the browser's address bar. Secunia disclosed that IE flaw last month, and although Microsoft has posted a notice with tips on how to avoid such spoofing, it has not yet released a patch.

Among those tips, Microsoft recommends that users not click on hyperlinks, but instead type URLs directly into IE's address bar.

*This story courtesy of Techweb.com.