CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
98.6%
Microsoft DHTML Drag-and-Drop events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone. This vulnerability could allow an attacker to write arbitrary files to the local file system.
Microsoft Drag-and-Drop events do not properly validate objects before placing them on a user’s system. For more information concerning Drag-and-Drop vulnerabilities please refer to VU#526089 and VU#413886. According to Microsoft
_The update for the “Drag-and-Drop Vulnerability” (CAN-2005-0053) comes in two parts. It is addressed in part in this security bulletin. This security bulletin [MS05-008], together with security bulletin MS05-014, makes up the update for CAN-2005-0053. These updates do not have to be installed in any particular order. However, we recommend that you install both updates. _
MS05-014 creates and installs a list of file types within Internet Explorer that are allowed to be transferred via a Drag-and-Drop event.
MS05-008 introduces a more strict validation procedure for Drag-and-Drop events within the Windows shell.
For more information on these vulnerabilities and their remediation, please see MS05-014 and MS05-008_, _as well as MS04-038.
If a remote attacker can persuade a user to access a specially crafted web page, that attacker may be able to write arbitrary files to the local file system.
Apply Patch
Microsoft has released patches to address this vulnerability available in MS05-014 and MS05-008. In addition, users should apply the patch described in MS04-038.
Consider Workarounds Described in Knowledge Base Article 888534
Microsoft Knowledge Base article 888534 describes several ways to help protect a computer from attacks that may use “drag and drop” features in IE.
**
Disable Drag-and-Drop or Copy and Paste Files**
Disabling the zone security preference “Drag and drop or copy and paste files” prevents drag and drop operations.
**
Note:This preference is not honored with Windows XP and Windows Server 2003 operating systems that do not have the MS04-038 update (VU#630720). Without the patch, Windows XP and Windows Server 2003 will always allow drag and drop events to occur, regardless of the zone security setting. After the patch in MS04-038 is installed, the preference to disable drag and drop events is honored. However, in our testing, the “Prompt” option now behaves the same as “Disable” with Windows XP and Windows Server 2003. If set to “Prompt,” the drag and drop events will not occur and there will be no prompt. **
Render Email in Plain Text
Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly. However, script will not be evaluated, thus preventing certain types of attacks.
**
Maintain Updated Anti-virus Software**
_
_Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on anti-virus software to defend against this vulnerability.
698835
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: February 08, 2005
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see MS05-014 and MS05-008_, _as well as MS04-038.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23698835 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was reported in Microsoft Security Bulletins MS05-014 and MS05-008. Microsoft acknowledged Michael Krax as a reporter of CAN-2005-0053.
This document was written by Jeff Gennari based on information from Microsoft Security Bulletins MS05-014 and MS05-008.
CVE IDs: | CVE-2005-0053 |
---|---|
Severity Metric: | 28.13 Date Public: |