Small bug found in IE - not many dead

The recent discovery of a security vulnerability in Microsoft Internet Explorer has become a hot topic on the security wires, but experts say it may have been blown out of proportion.

In the last few weeks, security experts Oy Online has published details about a flaw in IE that would allow a malicious website to spoof file extensions in the download dialog to make a potentially dangerous executable program look like a text, image, audio or any other file.

The discovery was followed up by a scathing attack on techie favourite Slashdot which claimed: "If you routinely browse with IE or read mail with Outlook, keep in mind that any web page you visit or any email you open can take over your computer, steal sensitive files, destroy your machine, anything."

But while the attack was justified to a degree, Ollie Whitehouse, manager of security architecture for @stake, said that, although the vulnerability is a real threat, "we see real threats everyday".

"The potential effects of this vulnerability can be contained through due diligence. You have to get someone to visit an obscure booby trapped server, which you probably wouldn't come across in casual browsing," he explained.

The basis of the vulnerability is that a piece of HTML code could be set up linking to a downloadable file such as 'Readme.txt'.

If the user clicks on this, and when the prompt comes up chooses 'open from current location', the malicious file disguised as Readme.txt is be executed.

Essentially, on a specially configured server the HTTP headers on a file could be hacked up to give it a different content type, so our malicious .exe file could masquerade as a .txt file.

"You have to go to a lot of effort to exploit this flaw," said Whitehouse. "You actually have to set up a server and a website with the intention of carrying out the exploit. And you have to get victims to visit it."

Microsoft has been informed of the flaw and is working on a fix. However, Whitehouse and other experts have expressed some concern that the vulnerability is known about, if not in fine detail, but that no patch is yet available.