5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.846 High
EPSS
Percentile
98.5%
Microsoft Internet Explorer (IE) treats arbitrary files as images during drag and drop mouse operations. This could allow an attacker to trick a user into copying a file to a location where it may be executed, such as the Windows StartUp folder.
IE treats any file referenced by an IMG tag in HTML as an image. IE treats images differently with respect to drag and drop operations. When a drag and drop operation is performed on an image, IE creates a copy of the image and places it in the location where the mouse is released. IE assumes that the source (e.g., SRC or DYNSRC attribute) of an IMG element is a valid image file, regardless of the actual contents of the file. For example, a drag and drop operation on an IMG element with an executable source file will copy the executable file without presenting a download dialog.
If the DYNSRC attribute for the image is used, IE displays the image specified by the SRC attribute but copies the file specified by the DYNSRC attribute. This behavior allows any arbitrary file to masquerade as an image.
By convincing a user to perform a drag and drop operation, an attacker could copy malicious code to the local file system. If the malicious code is placed in the Windows StartUp folder, the code will be executed automatically when the user logs in. In combination with a vulnerability in the way IE allows the manipulation of window objects during mouse events (VU#413886), an attacker could write arbitrary files by convincing a user to click anywhere within the attacker’s HTML document or on the scroll bar of the document window. Given the ability to spoof GUI elements, including the entire desktop (VU#490708), an attacker could easily convince a user to click on the attacker’s HTML document.
Functional exploit code is publicly available, and there are reports of incidents such as Akak that involve this and other known vulnerabilities.
Apply a patch
Apply the patch referenced in MS04-038. The Security Bulletin states:
This update increases the validation checking for image elements used in drag and drop events. If the element in a drag and drop event is not a valid image, this operation will be blocked. More information about this change is included in Microsoft Knowledge Base article 8__87437.
Consider workarounds described in Knowledge Base article 888534
Microsoft Knowledge Base article 888534 describes several ways to help protect a computer from attacks that may use “drag and drop” features in IE.
Disable Drag and drop or copy and paste files
Disabling the zone security preference “Drag and drop or copy and paste files” prevents drag and drop operations.
Note: This preference is not honored with Windows XP and Windows Server 2003 operating systems that do not have the MS04-038 update (VU#630720). Without the patch, Windows XP and Windows Server 2003 will always allow drag and drop events to occur, regardless of the zone security setting. After the patch in MS04-038 is installed, the preference to disable drag and drop events is honored. However, in our testing, the “Prompt” option now behaves the same as “Disable” with Windows XP and Windows Server 2003. If set to “Prompt,” the drag and drop events will not occur and there will be no prompt.
Render email in plain text
Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly. However, script will not be evaluated, thus preventing certain types of attacks.
Maintain updated antivirus software
Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability.
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, the graphical user interface (GUI), and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).
526089
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: September 09, 2004 Updated: October 13, 2004
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see <http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23526089 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to http-equiv for reporting this vulnerability.
This document was written by Will Dormann and Art Manion.
CVE IDs: | CVE-2004-0839 |
---|---|
Severity Metric: | 15.96 Date Public: |