Internet Explorer 6.0 SP2 File Download Security Warning Bypass Exploit Microsoft Internet Explorer (including IE for Windows XP SP2) is reported vulnerable to a file download security warning bypass. This unpatched flaw may be exploited to download a malicious executable file masqueraded as a HTML file. Secunia did not release the technical details (aka Security by Obscurity) thus we publish this page (aka Full Disclosure) Solution [EN] Disable Active Scripting and the "Hide file extensions for known file types" option [Tools->Folder Options->View] [FR] Désactivez Active Scriptig et l'option "Masquer les extensions des fichiers dont le type est connu [Panneau de configuration -> Options des dossiers -> Affichage] Credits : go to cyber flash How does it work ? A.K.A Exploit The following code requires no special server setup, and should work from any webpage that IE 6.0 fetches: Click here. Also, here's an example that requires modifying the IIS Error Mapping Properties (see below): Click here. Steps to configure IIS: Launch Internet Information Services manager. Under the 'Custom Errors' tab, modify the Error Mapping Properties as follows: 1. Error Code: 404 2. Default Text: Not Found 3. Message Type: URL 4. URL: /v.exe (name of the executable) Within the HTML page, insert an IFRAME as follows: The file 'vengy404.htm' intentionally doesn't exist on the server, so it will trigger a 404 error message as defined above. But, the javascript code below references the stealthy v.exe data within the frame 'NotFound' and is linked to 'funny joke.exe' when prompted to save the file: javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe'); ť The original advisory (mirrored by K-OTik) is available here