Posted: 27 January 2005 at 9:27pm | IP Logged
Drag and Drop vulnerability still affects 'patched' IE
in October to deal with an Internet Explorer drag and drop problem, IE is still
vulnerable to a variant. This still-unpatched problem is caused by inadequate
validation of drag and drop events from the Internet security zone to local
resources. This vulnerability has been confirmed on fully patched systems, even
with Windows XP SP2 and IE 6.0 SP2.
If this vulnerability is exploited by
a hacker's Web site, it could plant HTML documents on the visiting PC. These
docs could run script code on a user's system without warning. The script code
in the planted HTML documents could run in the less restrictive "Local Computer"
What to do: Disable the Drag and drop or copy and paste
files option in Internet Explorer. This can be done as follows:
- Open Internet
- Click Tools
from the top menu.
- From the drop
down menu, select Internet Options.
- Click on the
- Select the
- Click the
Custom Level button.
- Scroll down
to the Miscellaneous section of options and disable Drag and drop or copy and
- Click OK on all open dialog
boxes to save the changes you've made.