search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft DHTML Drag-and-Drop events insufficiently validated

Vulnerability Note VU#698835

Original Release Date: 2005-02-09 | Last Revised: 2005-02-09

Overview

Microsoft DHTML Drag-and-Drop events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone. This vulnerability could allow an attacker to write arbitrary files to the local file system.

Description

Microsoft Drag-and-Drop events do not properly validate objects before placing them on a user's system. For more information concerning Drag-and-Drop vulnerabilities please refer to VU#526089 and VU#413886. According to Microsoft

The update for the "Drag-and-Drop Vulnerability" (CAN-2005-0053) comes in two parts. It is addressed in part in this security bulletin. This security bulletin [MS05-008], together with security bulletin MS05-014, makes up the update for CAN-2005-0053. These updates do not have to be installed in any particular order. However, we recommend that you install both updates.

MS05-014 creates and installs a list of file types within Internet Explorer that are allowed to be transferred via a Drag-and-Drop event.

MS05-008 introduces a more strict validation procedure for Drag-and-Drop events within the Windows shell.

For more information on these vulnerabilities and their remediation, please see MS05-014 and MS05-008, as well as MS04-038.

Impact

If a remote attacker can persuade a user to access a specially crafted web page, that attacker may be able to write arbitrary files to the local file system.

Solution

Apply Patch

Microsoft has released patches to address this vulnerability available in MS05-014 and MS05-008. In addition, users should apply the patch described in MS04-038.

Consider Workarounds Described in Knowledge Base Article 888534

Microsoft Knowledge Base article 888534 describes several ways to help protect a computer from attacks that may use "drag and drop" features in IE.

Disable Drag-and-Drop or Copy and Paste Files


Disabling the zone security preference "Drag and drop or copy and paste files" prevents drag and drop operations.

Note:
This preference is not honored with Windows XP and Windows Server 2003 operating systems that do not have the MS04-038 update (VU#630720). Without the patch, Windows XP and Windows Server 2003 will always allow drag and drop events to occur, regardless of the zone security setting. After the patch in MS04-038 is installed, the preference to disable drag and drop events is honored. However, in our testing, the "Prompt" option now behaves the same as "Disable" with Windows XP and Windows Server 2003. If set to "Prompt," the drag and drop events will not occur and there will be no prompt.

Render Email in Plain Text


Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly. However, script will not be evaluated, thus preventing certain types of attacks.

Maintain Updated Anti-virus Software


Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on anti-virus software to defend against this vulnerability.

Vendor Information

698835
 
Affected   Unknown   Unaffected

Microsoft Corporation

Updated:  February 08, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MS05-014 and MS05-008, as well as MS04-038.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was reported in Microsoft Security Bulletins MS05-014 and MS05-008 . Microsoft acknowledge d Michael Krax as a reporter of CAN-2005-0053.

This document was written by Jeff Gennari based on information from Microsoft Security Bulletins MS05-014 and MS05-008

Other Information

CVE IDs: CVE-2005-0053
Severity Metric: 28.13
Date Public: 2005-02-08
Date First Published: 2005-02-09
Date Last Updated: 2005-02-09 20:12 UTC
Document Revision: 37

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.