Microsoft investigates 'download warning' flaw

Problem in IE and XP SP2 allows a malicious Web site to bypass the browser's warnings when downloading potentially harmful content.

Munir Kotadia Special to CNET News
3 min read
Microsoft has said it will take "appropriate action" to fix a problem in Internet Explorer and Windows XP SP2 that allows a malicious Web site to bypass the browser's warnings when downloading potentially harmful content.

On Monday, French Web site K-otik published exploit codes that could take advantage of the vulnerability. On Tuesday, a Microsoft representative said that the risk from the flaw is low because "significant user interaction and user interface steps have to occur before any malicious code can be executed."

However, the software giant did admit that it was possible to bypass the security warnings in IE--even when using Windows XP with Service Pack 2.

"Microsoft is investigating this method of bypassing the Internet Explorer download warning and will take appropriate action to cover this scenario in order for customers to be properly advised that executables downloaded from the Internet can be malicious in nature," the representative said.

The representative acknowledged that if the file were saved in the start-up folder, it would automatically run the next time the user restarted his computer.

"The user must go to the folder containing that executable and choose to run it, or log off and log back onto the computer if the attacker attempted to save the malicious executable into the user?s Windows start-up folder," the representative said.

However, the representative said the problem was not a security vulnerability but actually a clever use of social engineering.

"It is important to note that this is not the exploitation of a security vulnerability, but an attempt by an attacker to use social engineering to convince a user to save an executable file on the hard drive without first receiving the Internet Explorer download warning," the representative said.

Still, some security experts disagree with Microsoft on this point.

Sean Richmond, senior technology consultant at antivirus company Sophos Australia, agreed that the exploit would require some user interaction but said this was definitely bypassing a security feature in IE and SP2.

"This is certainly something that is bypassing some of the security features that are meant to be there. It is a way of bypassing the dialogs in IE. It will result in the (malicious) file being saved on the user's computer," said Richmond, who added that the matter would be worse if that file could be saved in a computer?s start-up folder.

Richard Starnes, an information security professional with around 20 years' experience in information security, incident response, computer crime investigation and cyberterrorism, said that legislation could be used to force Microsoft--and other software developers--to improve their code and take financial responsibility for their customers' losses.

"I wonder how solid Microsoft's coding would become if strategic governments around the world removed the liability shield that software manufactures now currently enjoy," Starnes said. "They would then have some real financial incentive to get it right the first time, instead of this Computer Science 101 coding they are continually churning out."

Starnes believes the quality of software development has fallen in the past two decades.

"Most commercial releases of software today wouldn't have made it out of beta 20 years ago," he added.

Munir Kotadia of ZDNet Australia reported from Sydney.