Update: Experts warn of trick to bypass IE download warnings

IDG News Service - A computer security researcher and an antivirus company are warning Microsoft Corp. customers about an unpatched hole in the company's Internet Explorer Web browser that could allow a remote attacker to bypass security warnings and download malicious content onto vulnerable systems.
The warnings came after the hole was identified on the Bugtraq Internet security discussion list by someone using the name "Rafel Ivgi." The hole affects Internet Explorer Version 6.0.0, including the version released with Windows XP Service Pack 2. The vulnerability allows malicious attackers to bypass warnings designed to inform users when a file is being passed to their computers using a specially-crafted HTML Web document.
Microsoft reacted strongly to the warnings, saying that the Bugtraq notice made false claims about Internet Explorer in Windows XP SP2, and claiming that the download blocking feature in that version of the browser is working as designed.
"Microsoft is disappointed that an independent security researcher has posted a false claim on several newsgroups alleging that the automatic blocking feature of Internet Explorer in Windows XP SP2 (also referred to as the Information Bar) fails to function properly. These postings are inaccurate and misleading to customers," the company said in a statement.
Security software company Symantec Corp. issued a vulnerability alert about the hole today and cited Ivgi, which also provided code proving that the hole existed.
According to the Bugtraq message and Symantec alert, an Internet Explorer feature designed to catch references to file downloads doesn't detect a particular HTML event, known as "onclick," when it's combined with the common HTML Body tag, which designates the beginning and ending of the main part of a Web page.
Malicious Internet users could use the onclick event in combination with another function called "createElement" to create an IFrame, or "inline frame," which is an HTML element that allows external objects to be inserted into another HTML document. Attackers could link the IFrame to a malicious Web page that downloaded a malicious file to the user's computer when the page was clicked on, without generating a warning in the Information bar, Cupertino, Calif.-based Symantec said.
There is no patch available for the new hole, and no specific exploit code is required to take advantage of the hole, Symantec said.
According to Microsoft, the issue described in the Bugtraq alert is not a security problem. In fact, Internet Explorer for Windows XP SP2 does display a security warning in the scenario described in the warning: a dialog box instead of the information bar.
"And that is

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.