Microsoft Internet Explorer Drag and Drop Vulnerability
Results 1 to 6 of 6

Thread: Microsoft Internet Explorer Drag and Drop Vulnerability

  1. #1
    King Arana: Super Moderator
    Join Date
    Oct 2002
    Posts
    4,055

    Microsoft Internet Explorer Drag and Drop Vulnerability

    From Zone-H.org:
    08/19/2004

    Description:
    http-equiv has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system.

    The vulnerability is caused due to insufficient validation of drag and drop events issued from the "Internet" zone to local resources. This can be exploited by a malicious website to e.g. plant an arbitrary executable file in a user's startup folder, which will get executed the next time Windows starts up.

    http-equiv has posted a PoC (Proof of Concept), which plants a program in the startup directory when a user drags a program masqueraded as an image.

    NOTE: Even though the PoC depends on the user performing a drag and drop event, it may potentially be rewritten to use a single click as user interaction instead.

    This vulnerability is a variant of an issue discovered by Liu Die Yu.
    SA9711 http://secunia.com/SA9711/

    The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.

    Solution:
    Disable Active Scripting or use another product.

    Provided and/or discovered by:
    http-equiv

    Other References:
    SA9711:
    http://secunia.com/advisories/9711/
    For more information, check out this link.
    Space For Rent.. =]

  2. #2
    Read my lips:

    Get Rid of IE ASAP! Everybody, please just don't use it. That thing has more vulnerabilities in it than I got teeth in my mouth. And worst is, MS takes a long time to patch it. And IE is not even fun. Use FireFox or opera, just get rid of IE. It's not good for your health.
    Neon Security

    It\'s time to put an end to malicious code & black hat hackers - Use a firewall and anti virus!

  3. #3
    Member
    Join Date
    Jul 2004
    Posts
    70
    Thanks for the info Spyder..

    NeonWizard.. I hear ya.. but you can't just "get rid" of IE.. you still need it to update (patches) @microsofts site. now most of the patches are for IE or Outlook but there are others besides the ones for IE/Outlook. so.. I say keep it, update it but don't use it except for getting updates.

  4. #4
    King Arana: Super Moderator
    Join Date
    Oct 2002
    Posts
    4,055
    Exactly, I use FireFox 100% of the time but keep I.E on the machine and update it with microsoft's patches when they come out. Thankfully, I made firefox my default browser and everything so IE is barely in the way.
    Space For Rent.. =]

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    That thing has more vulnerabilities in it than I got teeth in my mouth.
    I'm pretty sure there's been more than 3 vulnerabilities for IE/OE but I'll take your word for that.

    As an aside, are you going to fund the training budget for my 650 users? Then, when Opera or Firefox or whatever are the ones suffering all the vulnerabilities while IE is no longer the target are you going to fund the retraining budget?

    Oh, and before someone jumps up and tells me that you can make Mozilla or whatever look just like IE..... Trust me, as stupid as users are they recognize the change and it is my experience that the one thing the idiots can't handle, and makes them whine the most, is change.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    King Arana: Super Moderator
    Join Date
    Oct 2002
    Posts
    4,055
    the one thing the idiots can't handle, and makes them whine the most, is change.
    Hear hear. Couldn't agree more TigerShark, but so far (and I say so far lightly) most of the people I recommend FireFox to (that are converting from IE) transit fairly well and aren't "scared or overwhelmed" by it. However you are right, most people whine and bitch about change in anything. One of the main reasons the fight to get Linux pre-installed on a system and on mainstream has been a long and strenuous road.
    Space For Rent.. =]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •