Microsoft Internet Explorer treats arbitrary files as images for drag and drop operations

Overview

Microsoft Internet Explorer (IE) treats arbitrary files as images during drag and drop mouse operations. This could allow an attacker to trick a user into copying a file to a location where it may be executed, such as the Windows StartUp folder.

Description

IE treats any file referenced by an IMG tag in HTML as an image. IE treats images differently with respect to drag and drop operations. When a drag and drop operation is performed on an image, IE creates a copy of the image and places it in the location where the mouse is released. IE assumes that the source (e.g., SRC or DYNSRC attribute) of an IMG element is a valid image file, regardless of the actual contents of the file. For example, a drag and drop operation on an IMG element with an executable source file will copy the executable file without presenting a download dialog.

If the DYNSRC attribute for the image is used, IE displays the image specified by the SRC attribute but copies the file specified by the DYNSRC attribute. This behavior allows any arbitrary file to masquerade as an image.

---

Impact

By convincing a user to perform a drag and drop operation, an attacker could copy malicious code to the local file system. If the malicious code is placed in the Windows StartUp folder, the code will be executed automatically when the user logs in. In combination with a vulnerability in the way IE allows the manipulation of window objects during mouse events (VU#413886), an attacker could write arbitrary files by convincing a user to click anywhere within the attacker’s HTML document or on the scroll bar of the document window. Given the ability to spoof GUI elements, including the entire desktop (VU#490708), an attacker could easily convince a user to click on the attacker’s HTML document.
Functional exploit code is publicly available, and there are reports of incidents such as Akak that involve this and other known vulnerabilities.

---

Solution

Apply a patch
Apply the patch referenced in MS04-038. The Security Bulletin states:

This update increases the validation checking for image elements used in drag and drop events. If the element in a drag and drop event is not a valid image, this operation will be blocked. More information about this change is included in Microsoft Knowledge Base article 8__87437.

---

Consider workarounds described in Knowledge Base article 888534

Microsoft Knowledge Base article 888534 describes several ways to help protect a computer from attacks that may use “drag and drop” features in IE.

Disable Drag and drop or copy and paste files

Disabling the zone security preference “Drag and drop or copy and paste files” prevents drag and drop operations.

Note: This preference is not honored with Windows XP and Windows Server 2003 operating systems that do not have the MS04-038 update (VU#630720). Without the patch, Windows XP and Windows Server 2003 will always allow drag and drop events to occur, regardless of the zone security setting. After the patch in MS04-038 is installed, the preference to disable drag and drop events is honored. However, in our testing, the “Prompt” option now behaves the same as “Disable” with Windows XP and Windows Server 2003. If set to “Prompt,” the drag and drop events will not occur and there will be no prompt.

Render email in plain text

Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly. However, script will not be evaluated, thus preventing certain types of attacks.

Maintain updated antivirus software

Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability.

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, the graphical user interface (GUI), and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).

---

Vendor Information

526089

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: September 09, 2004 Updated: October 13, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see <http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23526089 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx&gt;
• <http://secunia.com/advisories/12321/&gt;
• <http://www.securityfocus.com/bid/10973&gt;
• <http://xforce.iss.net/xforce/xfdb/13679&gt;
• <http://xforce.iss.net/xforce/xfdb/17044&gt;
• <http://www.osvdb.org/displayvuln.php?osvdb_id=9070&gt;
• <http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0814.html&gt;

Acknowledgements

Thanks to http-equiv for reporting this vulnerability.

This document was written by Will Dormann and Art Manion.

Other Information

CVE IDs:	CVE-2004-0839
Severity Metric:	15.96 Date Public: