[原文]Internet Explorer 6 on Windows XP SP2 allows remote attackers to bypass the file download warning dialog and possibly trick an unknowledgeable user into executing arbitrary code via a web page with a body element containing an onclick tag, as demonstrated using the createElement function.
Microsoft IE Dynamic IFRAME Tag XP SP2 File Download Security Bypass
Remote / Network Access
Loss of Integrity
Microsoft Internet Explorer contains a flaw that may allow a remote attacker to bypass download security settings. The issue is triggered when creating a malicious Web page containing a 'BODY' tag that uses an 'onclick' event to trigger the 'createElement' function, which would create an 'IFRAME' window that references to a malicious file. It is possible for a remote attacker to bypass any download security settings and download arbitrary files to a system once the victim visits and clicks anywhere on the body of the malicious Web page resulting in a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.