Software Engineering Institute

Microsoft Drag-and-Drop events do not properly validate objects before placing them on a user's system. For more information concerning Drag-and-Drop vulnerabilities please refer to VU#526089 and VU#413886. According to Microsoft

The update for the "Drag-and-Drop Vulnerability" (CAN-2005-0053) comes in two parts. It is addressed in part in this security bulletin. This security bulletin [MS05-008], together with security bulletin MS05-014, makes up the update for CAN-2005-0053. These updates do not have to be installed in any particular order. However, we recommend that you install both updates.

MS05-014 creates and installs a list of file types within Internet Explorer that are allowed to be transferred via a Drag-and-Drop event.

MS05-008 introduces a more strict validation procedure for Drag-and-Drop events within the Windows shell.

For more information on these vulnerabilities and their remediation, please see MS05-014 and MS05-008, as well as MS04-038.

If a remote attacker can persuade a user to access a specially crafted web page, that attacker may be able to write arbitrary files to the local file system.

Apply Patch

Microsoft has released patches to address this vulnerability available in MS05-014 and MS05-008. In addition, users should apply the patch described in MS04-038.

Consider Workarounds Described in Knowledge Base Article 888534

Microsoft Knowledge Base article 888534 describes several ways to help protect a computer from attacks that may use "drag and drop" features in IE.

Disable Drag-and-Drop or Copy and Paste Files

Disabling the zone security preference "Drag and drop or copy and paste files" prevents drag and drop operations.

Note: This preference is not honored with Windows XP and Windows Server 2003 operating systems that do not have the MS04-038 update (VU#630720). Without the patch, Windows XP and Windows Server 2003 will always allow drag and drop events to occur, regardless of the zone security setting. After the patch in MS04-038 is installed, the preference to disable drag and drop events is honored. However, in our testing, the "Prompt" option now behaves the same as "Disable" with Windows XP and Windows Server 2003. If set to "Prompt," the drag and drop events will not occur and there will be no prompt.

Render Email in Plain Text

Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly. However, script will not be evaluated, thus preventing certain types of attacks.

Maintain Updated Anti-virus Software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on anti-virus software to defend against this vulnerability.