Also by Mona:
These next two filters are regarding a different IE
exploit. JarC helped explain it much this way:
----------------------------------------------------------
When clicking a link, the URL indicates that File A is being returned. When
the response is returned, however, there is a second file/filename attached as
indicated in the header "Content-Disposition: attachment [OR inline];
filename=[File B]". Depending on the content-type specified for the file in
the *URL*, either an automatic download occurs followed by a subsequent
execution of the "attachment" (NO prompt!), OR you are presented with a dialog
asking if you want to 'Open' or 'Save' the file. When prompted, however, the
name that is displayed in the initial dialog is for File A, not the actual
filename as indicated in the content-disposition header (File B).
If you choose 'Open', once again File B auto-loads; but if you choose 'Save',
the filename for File B *is* finally displayed in the save dialog in all
versions of IE. At this point, a danger still exists as the user may not
notice the difference in filenames between the initial prompt and the save
dialog.
[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Disposition: [IE Exploit] Reveal Attached Filename (in)"
Match = "*filename=$AV(1&(^*%00*))*"
Replace = "filename=1"
In = TRUE
Out = FALSE
Key = "Content-Type: [IE Exploit] Application/Force-Download (in)"
Match = "(*|(^?))&$IHDR(Content-Disposition:*filename=*)"
Replace = "application/force-download"
Test Page
http://www.heise.de/ct/browsercheck/readme.txt