August 19th, 2004, 06:38 PM
Microsoft Internet Explorer Drag and Drop Vulnerability
For more information, check out this link.
http-equiv has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to insufficient validation of drag and drop events issued from the "Internet" zone to local resources. This can be exploited by a malicious website to e.g. plant an arbitrary executable file in a user's startup folder, which will get executed the next time Windows starts up.
http-equiv has posted a PoC (Proof of Concept), which plants a program in the startup directory when a user drags a program masqueraded as an image.
NOTE: Even though the PoC depends on the user performing a drag and drop event, it may potentially be rewritten to use a single click as user interaction instead.
This vulnerability is a variant of an issue discovered by Liu Die Yu.
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.
Disable Active Scripting or use another product.
Provided and/or discovered by:
August 19th, 2004, 11:07 PM
Read my lips:
Get Rid of IE ASAP! Everybody, please just don't use it. That thing has more vulnerabilities in it than I got teeth in my mouth. And worst is, MS takes a long time to patch it. And IE is not even fun. Use FireFox or opera, just get rid of IE. It's not good for your health.
It\'s time to put an end to malicious code & black hat hackers - Use a firewall and anti virus!
August 20th, 2004, 07:01 PM
Thanks for the info Spyder..
NeonWizard.. I hear ya.. but you can't just "get rid" of IE.. you still need it to update (patches) @microsofts site. now most of the patches are for IE or Outlook but there are others besides the ones for IE/Outlook. so.. I say keep it, update it but don't use it except for getting updates.
August 20th, 2004, 07:27 PM
Exactly, I use FireFox 100% of the time but keep I.E on the machine and update it with microsoft's patches when they come out. Thankfully, I made firefox my default browser and everything so IE is barely in the way.
August 20th, 2004, 09:53 PM
I'm pretty sure there's been more than 3 vulnerabilities for IE/OE but I'll take your word for that.
That thing has more vulnerabilities in it than I got teeth in my mouth.
As an aside, are you going to fund the training budget for my 650 users? Then, when Opera or Firefox or whatever are the ones suffering all the vulnerabilities while IE is no longer the target are you going to fund the retraining budget?
Oh, and before someone jumps up and tells me that you can make Mozilla or whatever look just like IE..... Trust me, as stupid as users are they recognize the change and it is my experience that the one thing the idiots can't handle, and makes them whine the most, is change.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
August 20th, 2004, 11:22 PM
Hear hear. Couldn't agree more TigerShark, but so far (and I say so far lightly) most of the people I recommend FireFox to (that are converting from IE) transit fairly well and aren't "scared or overwhelmed" by it. However you are right, most people whine and bitch about change in anything. One of the main reasons the fight to get Linux pre-installed on a system and on mainstream has been a long and strenuous road.
the one thing the idiots can't handle, and makes them whine the most, is change.