Microsoft Internet Explorer (IE) treats arbitrary files as images during drag and drop mouse operations. This could allow an attacker to trick a user into copying a file to a location where it may be executed, such as the Windows StartUp folder.
IE treats any file referenced by an IMG tag in HTML as an image. IE treats images differently with respect to drag and drop operations. When a drag and drop operation is performed on an image, IE creates a copy of the image and places it in the location where the mouse is released. IE assumes that the source (e.g., SRC or DYNSRC attribute) of an IMG element is a valid image file, regardless of the actual contents of the file. For example, a drag and drop operation on an IMG element with an executable source file will copy the executable file without presenting a download dialog.
If the DYNSRC attribute for the image is used, IE displays the image specified by the SRC attribute but copies the file specified by the DYNSRC attribute. This behavior allows any arbitrary file to masquerade as an image.
By convincing a user to perform a drag and drop operation, an attacker could copy malicious code to the local file system. If the malicious code is placed in the Windows StartUp folder, the code will be executed automatically when the user logs in. In combination with a vulnerability in the way IE allows the manipulation of window objects during mouse events (VU#413886), an attacker could write arbitrary files by convincing a user to click anywhere within the attacker's HTML document or on the scroll bar of the document window. Given the ability to spoof GUI elements, including the entire desktop (VU#490708), an attacker could easily convince a user to click on the attacker's HTML document.
Apply a patch
Thanks to http-equiv for reporting this vulnerability.
This document was written by Will Dormann and Art Manion.
|Date First Published:||2004-09-14|
|Date Last Updated:||2004-10-28 18:32 UTC|