Vulnerability Note VU#526089
Microsoft Internet Explorer treats arbitrary files as images for drag and drop operations
Microsoft Internet Explorer (IE) treats arbitrary files as images during drag and drop mouse operations. This could allow an attacker to trick a user into copying a file to a location where it may be executed, such as the Windows StartUp folder.
IE treats any file referenced by an IMG tag in HTML as an image. IE treats images differently with respect to drag and drop operations. When a drag and drop operation is performed on an image, IE creates a copy of the image and places it in the location where the mouse is released. IE assumes that the source (e.g., SRC or DYNSRC attribute) of an IMG element is a valid image file, regardless of the actual contents of the file. For example, a drag and drop operation on an IMG element with an executable source file will copy the executable file without presenting a download dialog.
If the DYNSRC attribute for the image is used, IE displays the image specified by the SRC attribute but copies the file specified by the DYNSRC attribute. This behavior allows any arbitrary file to masquerade as an image.
By convincing a user to perform a drag and drop operation, an attacker could copy malicious code to the local file system. If the malicious code is placed in the Windows StartUp folder, the code will be executed automatically when the user logs in. In combination with a vulnerability in the way IE allows the manipulation of window objects during mouse events (VU#413886), an attacker could write arbitrary files by convincing a user to click anywhere within the attacker's HTML document or on the scroll bar of the document window. Given the ability to spoof GUI elements, including the entire desktop (VU#490708), an attacker could easily convince a user to click on the attacker's HTML document.
Apply a patch
Consider workarounds described in Knowledge Base article 888534
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||09 Sep 2004||13 Oct 2004|
CVSS Metrics (Learn More)
Thanks to http-equiv for reporting this vulnerability.
This document was written by Will Dormann and Art Manion.
- CVE IDs: CAN-2004-0839
- Date Public: 18 Aug 2004
- Date First Published: 14 Sep 2004
- Date Last Updated: 28 Oct 2004
- Severity Metric: 15.96
- Document Revision: 28
If you have feedback, comments, or additional information about this vulnerability, please send us email.