Vulnerability Note VU#526089

Microsoft Internet Explorer treats arbitrary files as images for drag and drop operations

Original Release date: 14 Sep 2004 | Last revised: 28 Oct 2004

Overview

Microsoft Internet Explorer (IE) treats arbitrary files as images during drag and drop mouse operations. This could allow an attacker to trick a user into copying a file to a location where it may be executed, such as the Windows StartUp folder.

Description

IE treats any file referenced by an IMG tag in HTML as an image. IE treats images differently with respect to drag and drop operations. When a drag and drop operation is performed on an image, IE creates a copy of the image and places it in the location where the mouse is released. IE assumes that the source (e.g., SRC or DYNSRC attribute) of an IMG element is a valid image file, regardless of the actual contents of the file. For example, a drag and drop operation on an IMG element with an executable source file will copy the executable file without presenting a download dialog.

If the DYNSRC attribute for the image is used, IE displays the image specified by the SRC attribute but copies the file specified by the DYNSRC attribute. This behavior allows any arbitrary file to masquerade as an image.

Impact

By convincing a user to perform a drag and drop operation, an attacker could copy malicious code to the local file system. If the malicious code is placed in the Windows StartUp folder, the code will be executed automatically when the user logs in. In combination with a vulnerability in the way IE allows the manipulation of window objects during mouse events (VU#413886), an attacker could write arbitrary files by convincing a user to click anywhere within the attacker's HTML document or on the scroll bar of the document window. Given the ability to spoof GUI elements, including the entire desktop (VU#490708), an attacker could easily convince a user to click on the attacker's HTML document.
Functional exploit code is publicly available, and there are reports of incidents such as Akak that involve this and other known vulnerabilities.

Solution

Apply a patch
Apply the patch referenced in MS04-038. The Security Bulletin states:

    This update increases the validation checking for image elements used in drag and drop events. If the element in a drag and drop event is not a valid image, this operation will be blocked. More information about this change is included in Microsoft Knowledge Base article 887437.

Consider workarounds described in Knowledge Base article 888534

Microsoft Knowledge Base article 888534 describes several ways to help protect a computer from attacks that may use "drag and drop" features in IE.

Disable Drag and drop or copy and paste files

Disabling the zone security preference "Drag and drop or copy and paste files" prevents drag and drop operations.

Note: This preference is not honored with Windows XP and Windows Server 2003 operating systems that do not have the MS04-038 update (VU#630720). Without the patch, Windows XP and Windows Server 2003 will always allow drag and drop events to occur, regardless of the zone security setting. After the patch in MS04-038 is installed, the preference to disable drag and drop events is honored. However, in our testing, the "Prompt" option now behaves the same as "Disable" with Windows XP and Windows Server 2003. If set to "Prompt," the drag and drop events will not occur and there will be no prompt.

Render email in plain text

Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly. However, script will not be evaluated, thus preventing certain types of attacks.

Maintain updated antivirus software

Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability.

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, the graphical user interface (GUI), and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected09 Sep 200413 Oct 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to http-equiv for reporting this vulnerability.

This document was written by Will Dormann and Art Manion.

Other Information

  • CVE IDs: CAN-2004-0839
  • Date Public: 18 Aug 2004
  • Date First Published: 14 Sep 2004
  • Date Last Updated: 28 Oct 2004
  • Severity Metric: 15.96
  • Document Revision: 28

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.