Note: This vulnerability as well as several more can be found at http://www.greyhats.cjb.net

Download Window Filename + Filetype Spoofing Vulnerability 

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2 

[Discussion]
When a webpage offers a file who's mime type can't be opened in a browser, Internet Explorer usually displays a download window with the filename and its type. Previous vulnerabilities have been used to spoof the filename so the victim thinks the file is something it isn't. This is one of those vulnerabilities. 

Window.createPopup() creates a popup that goes on top of every other window. This includes applications other than internet explorer. This doesn't seem like the greatest idea, but it could be useful if you want to get urgent information out to someone. By placing the popup in a certain location, we can cover up the filename and its type in the download window and replace it with our own. One more thing, we need to set the popup's onoffload to open itself back up, because if the parent window is clicked after a popup opens, the popup is closed. 

The example tells internet explorer to download badfile.exe, which of course is an 'Application'. A popup is then opened covering up the filename and type and replaces it with 'sexycoeds.jpg' (GGW commercial was on when I was writing this ;) which is a 'JPEG Image'. The viewer should press 'open' to view the sexy coeds right away, which will download and run badfile.exe. If you want, you can name the executable sexycoeds.exe and change the icon so if the user presses 'save' windows should hide the extension and it will still look like a jpg image. 

[Example]
http://freehost07.websamba.com/greyhats/dlwinspoof.htm