# "Save Picture As" Security Flaw



## mimo2005 (Oct 2, 2004)

*Microsoft Internet Explorer "Save Picture As" Image Download Spoofing * 


Secunia Advisory: SA13317 
Release Date: *2004-11-26 * 


Critical: 
Moderately critical 
Impact: Spoofing

Where: From remote

Solution Status: Unpatched 


Software: Microsoft Internet Explorer 6


Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. 


Description:
cyber flash has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to trick users into downloading malicious files.

The vulnerability is caused due to Internet Explorer using the file extension from the URL's filename when saving images with the "Save Picture As" command and also strips the last file extension if multiple file extensions exist. This can be exploited by a malicious web site to cause a valid image with malicious, embedded script code to be saved with an arbitrary file extension.

Successful exploitation may allow a malicious web site to trick users into downloading e.g. a malicious HTML Application (.hta) masqueraded as a valid image. However, exploitation requires that the option "Hide extension for known file types" is enabled (default setting).

*The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.*

NOTE: A PoC (Proof of Concept) is publicly available.

Solution:
*Disable the "Hide extension for known file types" option.*

Provided and/or discovered by:
cyber flash

Other References:
"Right-Clicking, Selecting 'Save Picture As' Does Not Save Image with Correct Extension":
*http://support.microsoft.com/kb/250747*


----------

