Downloads

Internet Explorer 5.5 and 6, like most new software offerings, come with a whole new set of problems. But how do you keep up with all the most current patches? This update closes all known security holes affecting these browsers (as of December 13) and addresses three new security issues: One security flaw allows an attacker to alter HTML header information to make IE believe that an executable file is actually a different type of file--one that it is appropriate to simply open without asking the user for confirmation. This could enable the attacker to create a Web page or HTML e-mail that, when opened, would automatically run an executable on the user's system. This vulnerability affects IE 6.0 only, not 5.5.

The second issue is a newly discovered variant of the Frame Domain Verification vulnerability. This could enable a malicious Web site operator to open two browser windows, one in the web site's domain and the other on the user's local file system, and to pass information from the latter to the former. This could enable the site operator to read, but not change, any file on the user's local computer that could be opened in a browser window. This affects both IE 5.5 and 6.0.

The third flaw is related to the display of file names in the File Download dialog box. When a download is initiated, a dialog provides the name of the file. However, in some cases it is possible for an attacker to misrepresent the name of the file in the dialog. This could be invoked from a Web page or in an HTML e-mail in an attempt to fool users into accepting unsafe file types from a trusted source. This vulnerability affects both IE 5.5 and 6.0.