Internet Explorer determines whether an object is safe when it interprets the file extension specified in the "Object Data" tag. This allows a malicious person to specify a "safe" file with eg. a ".html" extension in "Object Data", which causes Internet Explorer to interpret it as a "safe" file. However, when the file is retrieved by Internet Explorer the "Content-Type" header determines how the file will be treated. This allows an executable file like a ".hta" file to be treated as a "safe" file and be executed silently without restrictions.
NOTE: Further information has been releasedby http-equiv, proving that the patch from Microsoft is not adequate. Refer to solution section.
Secunia has constructed a vulnerability test, which can be used to check if you are affected by this issue: http://www.secunia.com/MS03-032/
Read the rest of this article at Secunia
My God, it just never ends.
This unending parade of security flaws will never stop. Between ActiveX, Microsoft-hacked Java, and HTA scripting, Internet Explorer is nothing but a collection of security flaws that loads web pages as an afterthought. Now they can't even do a proper job of patching the vulnerabilities they know that exist.
Remember Surferbar which I discussed last week? Security experts have discovered that Surferbar is exploiting one of the flaws discussed in Secunia's article to install itself. We have reason to believe that two other malware distributors also might be using, or at least testing it.
If you are using Internet Explorer as your primary browser, you are most likely vulnerable to this flaw. You can find out for sure by taking this test.
Do you want to know how to be completely safe from these security flaws? Do you want to know how to be 100% safe from driveby malware that installs right through the browser? The answer is very simple: use a real browser, not a web browsing extension tied to a Microsoft operating system. http://texturizer.net/firebird/ http://www.opera.com/
I'm not being sarcastic. I am dead serious. Internet Explorer is not safe, except for when the most draconian precautions are taken. It is a bare bones, featureless browser that doesn't even provide tabbed browsing. I guarantee you, if you switch to Mozilla Firebird and use it for a while you will never want to use Internet Explorer again. Read all about Firebird at the official help site and decide for yourself.