Vulnerability Note VU#743974

Microsoft Internet Explorer execCommand() method SaveAs command uses misleading "Save HTML Document" dialog

Original Release date: 17 Dec 2004 | Last revised: 17 Dec 2004

Overview

Microsoft Internet Explorer contains a vulnerability in the way that it presents a Save As dialog. By invoking the SaveAs command with execCommand, an attacker could display a dialog that could trick a user into saving arbitrary content.

Description

Microsoft Internet Explorer (IE) supports a proprietary DHTML command called SaveAs, which saves the current document to a file. SaveAs is invoked by the execCommand method and can save any data that is displayed within the browser to a file. By setting the value of the appropriate SaveAs paramater, the full path and filename (including extension) can be specified.

Normally, the SaveAs command is used to save HTML documents. However, any file that can be displayed in a browser window can be saved to a file by the SaveAs command. Certain combinations of file extension and/or server-provided MIME type will cause IE to display binary data within the browser window. In such cases, SaveAs can be used to save an executable file to the local filesystem. The data to be saved could be contained within a hidden FRAME or IFRAME element.

The dialog presented by the SaveAs command has the following characteristics that facilitate an attacker's ability to deceive the user:

  1. The "Save as type" field of the dialog always displays "HTML File (*.htm; *.html)," regardless of the content that it is actually saving.
  2. Although the "Save as type" field indicates that it is saving an HTML file, it does not save a file with a .htm or .html extension.
The default configuration for Windows is to hide the file extension for known file types. With file extensions hidden, a file called "file.html.exe" on the filesystem will appear as "file.html" in the save dialog and also in Windows Explorer.

When downloading a file with Windows XP SP2, the user is normally presented with a dialog titled "File Download - Security Warning." When the SaveAs command is used to save a file, this security dialog is bypassed. In addition, Windows XP SP2 normally stores the zone information about downloaded files in an NTFS Alternate Data Stream. This is known as a Persistent Zone Identifier. Files saved with the SaveAs command do not contain this zone information. This means that the user will not be presented with the security warning dialog when an application saved with the SaveAs command is executed.

Impact

An attacker could convince a user to save an arbitrary file to a specific location on the local filesystem. This file could appear to be an HTML document, when it actually is an executable file.

Solution

Disable Active scripting
Disabling Active scripting prevents execCommand from running. As a result, the SaveAs command will not execute, thus preventing the spoofed save dialog. Instructions for disabling Active scripting can be found in the Malicious Web Scripts FAQ. Note that disabling Active scripting will reduce the functionality of many web sites.

Disable "Hide extensions for known file types"

The default configuration for Windows is to hide the extensions for known file types. An attacker can take advantage of this by creating a file with double extensions. For example, "file.html.exe" will appear as "file.html" by default. This can allow executable files to masquerade as less dangerous file types. Configure Windows Explorer to show all file extensions. Displaying the actual file extension will make it easier to understand what type of file is being saved.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected06 Dec 200417 Dec 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by cyber flash.

This document was written by Will Dormann.

Other Information

  • CVE IDs: Unknown
  • Date Public: 17 Nov 2004
  • Date First Published: 17 Dec 2004
  • Date Last Updated: 17 Dec 2004
  • Severity Metric: 1.69
  • Document Revision: 15

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.