Vulnerability Note VU#698835

Microsoft DHTML Drag-and-Drop events insufficiently validated

Original Release date: 08 Feb 2005 | Last revised: 09 Feb 2005


Microsoft DHTML Drag-and-Drop events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone. This vulnerability could allow an attacker to write arbitrary files to the local file system.


Microsoft Drag-and-Drop events do not properly validate objects before placing them on a user's system. For more information concerning Drag-and-Drop vulnerabilities please refer to VU#526089 and VU#413886. According to Microsoft

    The update for the "Drag-and-Drop Vulnerability" (CAN-2005-0053) comes in two parts. It is addressed in part in this security bulletin. This security bulletin [MS05-008], together with security bulletin MS05-014, makes up the update for CAN-2005-0053. These updates do not have to be installed in any particular order. However, we recommend that you install both updates.

MS05-014 creates and installs a list of file types within Internet Explorer that are allowed to be transferred via a Drag-and-Drop event.

MS05-008 introduces a more strict validation procedure for Drag-and-Drop events within the Windows shell.

For more information on these vulnerabilities and their remediation, please see MS05-014 and MS05-008, as well as MS04-038.


If a remote attacker can persuade a user to access a specially crafted web page, that attacker may be able to write arbitrary files to the local file system.


Apply Patch

Microsoft has released patches to address this vulnerability available in MS05-014 and MS05-008. In addition, users should apply the patch described in MS04-038.

Consider Workarounds Described in Knowledge Base Article 888534

Microsoft Knowledge Base article 888534 describes several ways to help protect a computer from attacks that may use "drag and drop" features in IE.

Disable Drag-and-Drop or Copy and Paste Files

Disabling the zone security preference "Drag and drop or copy and paste files" prevents drag and drop operations.

This preference is not honored with Windows XP and Windows Server 2003 operating systems that do not have the MS04-038 update (VU#630720). Without the patch, Windows XP and Windows Server 2003 will always allow drag and drop events to occur, regardless of the zone security setting. After the patch in MS04-038 is installed, the preference to disable drag and drop events is honored. However, in our testing, the "Prompt" option now behaves the same as "Disable" with Windows XP and Windows Server 2003. If set to "Prompt," the drag and drop events will not occur and there will be no prompt.

Render Email in Plain Text

Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly. However, script will not be evaluated, thus preventing certain types of attacks.

Maintain Updated Anti-virus Software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on anti-virus software to defend against this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-08 Feb 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was reported in Microsoft Security Bulletins MS05-014 and MS05-008. Microsoft acknowledged Michael Krax as a reporter of CAN-2005-0053.

This document was written by Jeff Gennari based on information from Microsoft Security Bulletins MS05-014 and MS05-008.

Other Information

  • CVE IDs: CAN-2005-0053
  • Date Public: 08 Feb 2005
  • Date First Published: 08 Feb 2005
  • Date Last Updated: 09 Feb 2005
  • Severity Metric: 28.12
  • Document Revision: 37


If you have feedback, comments, or additional information about this vulnerability, please send us email.