The Internet Explorer (IE) zone security preference for "Drag and drop or copy and paste files" is not honored with Windows XP and Windows Server 2003.
IE provides several settings for the various security zones. These settings can prevent certain actions from taking place in their respective zones. One such setting is "Drag and drop or copy and paste files." Windows XP and Windows Server 2003 fail to honor this preference, always allowing such operations to take place. Because this setting may not be honored by IE, the setting cannot be used as a workaround to prevent "drag and drop" style attacks.
IE will permit drag and drop or copy and paste operations, even when the security settings indicate otherwise. By convincing a user to perform a drag and drop operation, an attacker could copy arbitrary files to a known location on a user's computer. If the target location is shell:startup, then it is possible to cause arbitrary code to be automatically executed the next time the user logs in. When combined with VU#413886 and VU#490708, the drag and drop operation can be triggered by actions such as dragging the IE scrollbar, selecting text, or clicking an image.
Apply a patch
Apply the patch referenced in MS04-038. The Security Bulletin states:
This vulnerability was reported by Will Dormann.
|Date First Published:||2004-10-18|
|Date Last Updated:||2004-10-28 19:42 UTC|