BetaONE will rise again!


Reply
  #1  
Old 25th Aug 04, 01:36 PM
Alpine's Avatar
Alpine Alpine is offline
Retired Crew
 
Join Date: Feb 2002
Location: Run Forest, RUN!!
Posts: 3,601
Alpine is on a distinguished road
Send a message via ICQ to Alpine Send a message via AIM to Alpine
Bad drag and drop bug found in Internet Explorer

Dear The Inquirer,

According to an article posted on vnunet (and many other news sites), Microsoft claims that the latest "Drag and Drop" vulnerability (SA12321) in Internet Explorer including XP Service Pack 2 isn't a high risk. This vulnerability allows malicious websites to place any executable file in the Startup Folder, which will be started automatically when restarting.

Quote: "Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," the firm said in a statement.

"Microsoft is not aware of any customer impact at this time. However, we will continue to investigate the issue to determine the appropriate course of action to protect our customers." End quote. http://www.vnunet.com/news/1157493

Is it fair by Microsoft to say that you expose yourself to an increased risk if you drag and drop an image on a web site?

In addition, two days ago the issue was escalated further by mikx, who has created a sample exploit, which can trigger the same vulnerability if the user simply uses the scroll bar - maybe this is also significant user interaction because now a days everybody uses wheel mice?

In our opinion it is not much of a mitigating factor that a vulnerability requires a user to perform a very usual and common task for an exploit to compromise a system.

According to Internet Storm Center / The SANS Institute this is already being exploited in the Wild.

Hopefully, Microsoft will change their opinion after they've learned that malicious sites find this drag and drop vulnerability very useful.

For more information about the vulnerability and possible solutions, see Secunia Advisory SA12321: http://secunia.com/advisories/12321/

Kind regards,
Thomas Kristensen
CTO
Secunia
Toldbodgade 37B
1253 Copenhagen K
Denmark




Source:

The INQ!
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PC Makers Seize the Reins of XP SP2 Security NewsBot NeoWin News 0 21st Oct 04 11:00 PM
Microsoft Records 106 Million SP2 Downloads NewsBot NeoWin News 0 21st Oct 04 11:00 PM
Microsoft Partner Pack for Windows XP NewsBot NeoWin News 0 21st Oct 04 11:00 PM
Microsoft Partner Pack for Windows XP NewsBot NeoWin News 0 21st Oct 04 08:30 PM
PC Makers Seize the Reins of XP SP2 Security NewsBot NeoWin News 0 21st Oct 04 12:57 PM


All times are GMT +1. The time now is 08:13 PM.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.