Scenario:
When clicking on a link and selecting the Open
option, Microsoft
Internet Explorer (MSIE) indicates that a file download is in
progress, but is really running an Application.
Cause:
MSIE is being used to access a web link that points to an
HTML
Application (HTA). The spoof was first discovered in 2001 and
reported to Microsoft. It works on the premise that a user selects
the Open option instead of
Save to disk when downloading
a file.
If the filename of the link in question includes an embedded Class ID (CLSID) string, it can trick both the Operating System and MSIE into believing the file is trusted and execute it with little hindrance. This could lead to the inadvertent introduction of a virus, worm, or other malicious file on the user's computer. The potential for an infiltration is even more acute if the spoof's implications are considered alongside another flaw that allows URL Spoofing in MSIE.
The spoof works because CLSID strings are a key part of the Component Object Model (COM), a method used to build applications. While Microsoft claimed to have fixed the related flaws, they were reintroduced in a subsequent MSIE update.
Solution:
The obvious best solution is to not use
Microsoft Internet Explorer at all! However, that is not always
possible. If there is no way to avoid using MSIE, the next best
solution is to always save downloaded
files to disk and examining them before execution. It is also
prudent to harden MSIE's security settings by:
Hardening MSIE in this manner will not fully eliminate the problem, but will add an additional layer of protection.