'Drag-and-Drop' IE Flaw Persists Issue Continues to Plague IE and Microsoft Jim Wagner
Microsoft officials have confirmed the existence of two vulnerabilities within Internet Explorer 6.0 that affect all versions of Windows, including Windows XP Service Pack 2 users.
It's a continuation of the "drag-and-drop" flaw security officials at Microsoft have spent more than two months fixing.
The flaws, rated "highly critical" by security outfit Secunia Research in a report Wednesday, when used in conjunction, can allow the owner of a Web site to dump a malicious file into a user's startup folder, which will be executed when the system is rebooted.
The first vulnerability is caused by insufficient validation of drag-and-drop events from the "Internet Zone" to the "Local Computer" zone, the report states. Images or files downloaded by a user can be embedded with HTML code containing arbitrary scripts and bypass the security measures in place.
The second vulnerability allows an embedded HTML Help control to reference a "specially crafted index (.hnk) file," which in turn executes local HTML documents.
Together the two vulnerabilities can give a cracker (define) the means to allow remote access to the machine, Secunia officials said.
"The two vulnerabilities in combination with an inappropriate behavior where the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system," the report noted. "This has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft
Windows XP SP2."
While Microsoft is still investigating the Secunia report, officials downplayed the severity of the threat, saying that in order for a user's system to be compromised, it would require significant user action to launch the executable.
Also, users with Internet Security zone settings set to high are not affected by the vulnerability, nor are corporate users whose administrators have restricted access to the startup folder on the client machine.
"An attacker would need to first entice the user to visit a specific Web site and then entice the user to take a series of specific actions on the Web site, then reboot or log off before the attack could succeed," a Microsoft spokesperson said.
The impact of the vulnerability is unknown at this time, though Microsoft officials did say they might provide a fix in one of its monthly patch updates or issue one out-of-cycle, depending on the impact.
Redmond officials recommend users who have installed the latest round of patches for Internet Explorer, specifically the update that patches the drag-and-drop vulnerability, set the "Drag and Drop or copy and paste files" option in the Internet and Intranet zones to "Disable" or "Prompt."
Once this is done, officials say the two vulnerabilities won't be able to be compromised.
Secunia advises users to disable Active Scripting or use another browser. A tutorial to disable active content can be found here.
