IE Drag and Drop Vulnerability

« Older   Newer »
 
  Share  
.
  1. dengel
    view post Posted on 19/8/2004, 21:29
        +1   -1
     
    .

    User deleted
    Secunia comunica la scoperta di una vulnerabilità su Internet Explorer 5.01 - 5.5 - 6.

    Description:
    http-equiv has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system.

    The vulnerability is caused due to insufficient validation of drag and drop events issued from the "Internet" zone to local resources. This can be exploited by a malicious website to e.g. plant an arbitrary executable file in a user's startup folder, which will get executed the next time Windows starts up.

    http-equiv has posted a PoC (Proof of Concept), which plants a program in the startup directory when a user drags a program masqueraded as an image.

    NOTE: Even though the PoC depends on the user performing a drag and drop event, it may potentially be rewritten to use a single click as user interaction instead.

    La vulnerabilità permette l'esecuzione da remoto di codice ostile sul computer vittima ; perchè sia sfruttata è necessario l'intervento dell'utente, tuttavia è poco confortante che sia stata confermata anche su XP SP2.

    Come sempre è preferibile disattivare gli script attivi nell'area Internet di Internet Explorer ( in attesa dell'ennesima patch ).
     
    Top
    .
0 replies since 19/8/2004, 21:29   495 views
  Share  
.

Windows
Create your forum and your blog! · Top Forum · Categories · Help · Status · Contacts · Powered by ForumCommunity