Security researchers are warning of another spoofing vulnerability in Internet Explorer, this time one that allows an attacker to mask the true file extension of malicious downloads.
The file-extension spoof means that an attacker could lull a user into opening a malicious file from a Web site by making the file appear as a legitimate extension, such as a PDF or MPEG, researchers said on Wednesday.
In a security bulletin, Copenhagen-based security vendor Secunia Ltd. rated the vulnerability as “moderately critical” and said it affected IE 6 and possibly earlier versions of the Web browser, as well.
Users can avoid the vulnerability by first saving a download to a folder, rather than directly opening it, when prompted by IE. Saving the file reveals its true file name.
A Microsoft Corp. spokeswoman said the company is investigating the file-name spoofing vulnerability but could not say whether a fix would be ready at the same time as a planned patch for another IE spoofing vulnerability.