Secunia has alerted its customers to three holes in Microsoft Internet Explorer, two of which are moderately critical.The moderately critical holes, discovered by Cyber Flash, allow the bypassing of security features in Windows XP SP2 on downloading files of particular types. Another error means that when saving some documents using the Javascript “execCommand() function a file extension can be spoofed in the Save HTML Document dialogue, Secunia said.The solution to these two problems are to disable Active Scripting support and the “hide extension for known file types option”.
There’s a demo of these problems, here.
The third, less serious hole is a Cookie path attribute problem if trusted sites support wildcard domains or the domain name contains a malicious site domain by using a maliciously crafted path attribute.
Users with Windows XP SP2 are not affected by the last problem. The solution is to disable cookies except when they’re needed, or to update to Windows XP SP2.
News source: TheInquirer
