Internet Explorer security hole

New Windows / Internet Explorer security hole:

  1. Upload any Windows executable you like to a web server.

  2. Set up the web server to send .exe files as text/html.

  3. Put a CLSID in the filename.

  4. Post links to the file, cloaking them as via the previously announced URL cloaking bug.

  5. Wait for anyone using Internet Explorer to click on the innocent-looking link and get asked if they want to open the HTML web page.

  6. Cackle as their computer downloads the executable and runs it, without prompting them further.

Solution: Switch to Mozilla, or don’t click on “Open” to open files.