Vulnerability Note VU#630720
Microsoft Internet Explorer fails to honor "Drag and Drop" zone security preference
The Internet Explorer (IE) zone security preference for "Drag and drop or copy and paste files" is not honored with Windows XP and Windows Server 2003.
IE provides several settings for the various security zones. These settings can prevent certain actions from taking place in their respective zones. One such setting is "Drag and drop or copy and paste files." Windows XP and Windows Server 2003 fail to honor this preference, always allowing such operations to take place. Because this setting may not be honored by IE, the setting cannot be used as a workaround to prevent "drag and drop" style attacks.
IE will permit drag and drop or copy and paste operations, even when the security settings indicate otherwise. By convincing a user to perform a drag and drop operation, an attacker could copy arbitrary files to a known location on a user's computer. If the target location is shell:startup, then it is possible to cause arbitrary code to be automatically executed the next time the user logs in. When combined with VU#413886 and VU#490708, the drag and drop operation can be triggered by actions such as dragging the IE scrollbar, selecting text, or clicking an image.
Apply a patch
Apply the patch referenced in MS04-038. The Security Bulletin states:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||01 Sep 2004||15 Oct 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by Will Dormann.
This document was written by Will Dormann.
- CVE IDs: CAN-2004-0979
- Date Public: 13 Oct 2004
- Date First Published: 18 Oct 2004
- Date Last Updated: 28 Oct 2004
- Severity Metric: 0.56
- Document Revision: 21
If you have feedback, comments, or additional information about this vulnerability, please send us email.