‘Drag-and-Drop’ IE Flaw Persists

Microsoft officials confirmed the existence of two
vulnerabilities within Internet Explorer 6.0 that affect all versions of
Windows, including Windows XP Service Pack 2 users.

It’s a continuation of the “drag-and-drop”
flaw security officials at Microsoft have spent more than two months

The flaws, rated “highly critical” by security outfit Secunia
Research in a report Wednesday, when used in conjunction, can allow the owner
of a Web site to dump a malicious file into a user’s startup folder, which
will be executed when the system is rebooted.

The first vulnerability is caused by insufficient validation of
drag-and-drop events from the “Internet Zone” to the “Local Computer” zone,
the report states. Images or files downloaded by a user can be embedded
with HTML code containing arbitrary scripts and bypass the security measures
in place.

The second vulnerability allows an embedded HTML Help control to
reference a “specially crafted index (.hnk) file,” which in turn executes
local HTML documents.

Together the two vulnerabilities can give a cracker the
means to allow remote access to the machine, Secunia officials said.

“The two vulnerabilities in combination with an inappropriate behavior where
the ActiveX Data Object (ADO) model can write arbitrary files can be
exploited to compromise a user’s system,” the report noted. “This has been
confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft
Windows XP SP2.”

While Microsoft is still investigating the Secunia report, officials
downplayed the severity of the threat, saying that in order for a user’s
system to be compromised, it would require significant user action to launch
the executable.

Also, users with Internet Security zone settings set to
high are not affected by the vulnerability, nor are corporate users whose
administrators have restricted access to the startup folder on the
client machine.

“An attacker would need to first entice the user to visit a specific Web
site and then entice the user to take a series of specific actions on the Web
site, then reboot or log off before the attack could succeed,” a
Microsoft spokesperson said.

The impact of the vulnerability is unknown at this time, though Microsoft
officials did say they might provide a fix in one of its monthly patch
updates or issue one out-of-cycle, depending on the impact.

Redmond officials recommend users who have installed the latest round
of patches for Internet Explorer, specifically the update
that patches the drag-and-drop vulnerability, to set the “Drag and
Drop or copy and paste files” option in the Internet and Intranet zones to
“Disable” or “Prompt.”

Once this is done, officials said the two vulnerabilities
won’t succeed.

Secunia advises users to disable Active Scripting or use another browser. A
tutorial to disable active content can be found here.

News Around the Web