Another IE Spoofing Hole Found — sigh!:
"Security researchers are warning of another spoofing vulnerability in Internet Explorer, this time one that allows an attacker to mask the true file extension of malicious downloads.

The file-extension spoof means that an attacker could lull a user into opening a malicious file from a Web site by making the file appear as a legitimate extension, such as a PDF or MPEG, researchers said on Wednesday.… "

Users can avoid the vulnerability by first saving a download to a folder, rather than directly opening it, when prompted by IE. Saving the file reveals its true file name.

A Microsoft Corp. spokeswoman said the company is investigating the file-name spoofing vulnerability but could not say whether a fix would be ready at the same time as a planned patch for another IE spoofing vulnerability.

The other vulnerability, disclosed in December, could allow attackers to fake URLs in the Web browser's address bar and convince users to disclose sensitive information.

Microsoft officials have said they have a patch ready to fix that vulnerability but are testing it for multiple versions of IE on various platforms and for various languages.…

http://www.eweek.com/article2/0,4149,1473145,00.asp