Microsoft DHTML Drag-and-Drop events insufficiently validated

Overview

Microsoft DHTML Drag-and-Drop events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone. This vulnerability could allow an attacker to write arbitrary files to the local file system.

Description

Microsoft Drag-and-Drop events do not properly validate objects before placing them on a user’s system. For more information concerning Drag-and-Drop vulnerabilities please refer to VU#526089 and VU#413886. According to Microsoft

_The update for the “Drag-and-Drop Vulnerability” (CAN-2005-0053) comes in two parts. It is addressed in part in this security bulletin. This security bulletin [MS05-008], together with security bulletin MS05-014, makes up the update for CAN-2005-0053. These updates do not have to be installed in any particular order. However, we recommend that you install both updates. _

MS05-014 creates and installs a list of file types within Internet Explorer that are allowed to be transferred via a Drag-and-Drop event.

MS05-008 introduces a more strict validation procedure for Drag-and-Drop events within the Windows shell.

For more information on these vulnerabilities and their remediation, please see MS05-014 and MS05-008_, _as well as MS04-038.

---

Impact

If a remote attacker can persuade a user to access a specially crafted web page, that attacker may be able to write arbitrary files to the local file system.

---

Solution

Apply Patch

Microsoft has released patches to address this vulnerability available in MS05-014 and MS05-008. In addition, users should apply the patch described in MS04-038.

---

Consider Workarounds Described in Knowledge Base Article 888534

Microsoft Knowledge Base article 888534 describes several ways to help protect a computer from attacks that may use “drag and drop” features in IE.
**
Disable Drag-and-Drop or Copy and Paste Files**

Disabling the zone security preference “Drag and drop or copy and paste files” prevents drag and drop operations.
**
Note:This preference is not honored with Windows XP and Windows Server 2003 operating systems that do not have the MS04-038 update (VU#630720). Without the patch, Windows XP and Windows Server 2003 will always allow drag and drop events to occur, regardless of the zone security setting. After the patch in MS04-038 is installed, the preference to disable drag and drop events is honored. However, in our testing, the “Prompt” option now behaves the same as “Disable” with Windows XP and Windows Server 2003. If set to “Prompt,” the drag and drop events will not occur and there will be no prompt. **
Render Email in Plain Text

Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly. However, script will not be evaluated, thus preventing certain types of attacks.
**
Maintain Updated Anti-virus Software**
_
_Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on anti-virus software to defend against this vulnerability.

---

Vendor Information

698835

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: February 08, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MS05-014 and MS05-008_, _as well as MS04-038.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23698835 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.microsoft.com/technet/security/Bulletin/ms05-014.mspx&gt;
• <http://www.microsoft.com/technet/security/Bulletin/ms05-008.mspx&gt;
• <http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx&gt;
• <http://support.microsoft.com/kb/291387&gt;
• <http://support.microsoft.com/kb/307594&gt;
• <http://support.microsoft.com/kb/888534&gt;

Acknowledgements

This vulnerability was reported in Microsoft Security Bulletins MS05-014 and MS05-008. Microsoft acknowledged Michael Krax as a reporter of CAN-2005-0053.

This document was written by Jeff Gennari based on information from Microsoft Security Bulletins MS05-014 and MS05-008.

Other Information

CVE IDs:	CVE-2005-0053
Severity Metric:	28.13 Date Public: