Microsoft Internet Explorer (IE) dynamic HTML (DHTML) mouse events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone. This vulnerability could allow an attacker to write arbitrary files to the local file system.
In IE, certain DHTML events monitor mouse actions and are permitted to call proprietary DHTML methods that manipulate window objects. This technique can be used to create "drag and drop" operations by moving a window under an object that has registered a mouse event.
In a publicly available exploit (HijackClick, 2003-09-10), a mouse event calls a script function that invokes methods to move and resize one browser window over another. The background window contains an object (in this case, the user's Favorites directory) instantiated by a reference to a ShellNameSpace ActiveX object. The result is a new bookmark (the address of the foreground window) added to the user's Favorites list (the object in the background window). Other objects expose the local file system in this manner, for example, the user's Startup folder (shell:startup).
By convincing a victim to click on a link in an HTML document (web page, HTML email), an attacker could write arbitrary files to a vulnerable system within the security context of the user running IE. These files could contain code that could be executed through other means. MS04-004 elaborates: "Although this code could not be executed through this vulnerability directly, the operating system might open the file if it is dropped to a sensitive location, or a user may click the file inadvertently, causing the attacker's code to be executed." One example of a "sensitive location" is the user's Startup folder (shell:startup).
Apply a patch
This vulnerability and the first two attack vectors (HijackClick and HijackClickV2) were publicly reported by Liu Die Yu. The third vector, Hijack Click 3, was publicly reported by Paul. Thanks to Microsoft for information used in this document.
|Date First Published:||2004-02-02|
|Date Last Updated:||2004-10-28 18:37 UTC|