Signature Detail

HTTP: Internet Explorer Drag-and-Drop Modified

This signature detects attempts to exploit a known vulnerability against Internet Explorer. By sending an updated attack vector for the drag and drop vulnerability, a malicious attacker can upload arbitrary executables to the startup folder and compromise a host by tricking a user into viewing a malicious Web-site.

Extended Description

The Microsoft cumulative Internet Explorer patch (MS04-038) attempted to limit what files may be dragged and dropped onto the local computer from the Internet Zone to prevent executable objects from being placed on the file system in this manner. However, a number of file types are still permitted for drag and drop operations. It has demonstrated that it is possible to embed hostile HTML and script code in one of these file types, remove the file extension and then allow the operating system to dynamically determine the file type based on its contents. If this issue were combined with other vulnerabilities, such as that described in BID 11467, it may result in execution of arbitrary code on the client computer. Both Internet Explorer and Microsoft Windows itself is affected by this vulnerability.

Affected Products

• Microsoft internet_explorer 5.0.1
• Microsoft internet_explorer 5.0.1 SP1
• Microsoft internet_explorer 5.0.1 SP2
• Microsoft internet_explorer 5.0.1 SP3
• Microsoft internet_explorer 5.0.1 SP4
• Microsoft internet_explorer 5.5
• Microsoft internet_explorer 5.5 SP1
• Microsoft internet_explorer 5.5 SP2
• Microsoft internet_explorer 6.0
• Microsoft internet_explorer 6.0 SP1
• Microsoft .net_framework 1.1
• Microsoft windows_2000_advanced_server SP1
• Microsoft windows_2000_advanced_server SP2
• Microsoft windows_2000_advanced_server SP3
• Microsoft windows_2000_advanced_server SP4
• Microsoft windows_2000_advanced_server
• Microsoft windows_2000_datacenter_server SP1
• Microsoft windows_2000_datacenter_server SP2
• Microsoft windows_2000_datacenter_server SP3
• Microsoft windows_2000_datacenter_server SP4
• Microsoft windows_2000_datacenter_server
• Microsoft windows_2000_professional SP1
• Microsoft windows_2000_professional SP2
• Microsoft windows_2000_professional SP3
• Microsoft windows_2000_professional SP4
• Microsoft windows_2000_professional
• Microsoft windows_2000_server SP1
• Microsoft windows_2000_server SP2
• Microsoft windows_2000_server SP3
• Microsoft windows_2000_server SP4
• Microsoft windows_2000_server
• Microsoft windows_98
• Microsoft windows_98se
• Microsoft windows_me
• Microsoft windows_server_2003_datacenter_edition
• Microsoft windows_server_2003_datacenter_edition_itanium
• Microsoft windows_server_2003_enterprise_edition
• Microsoft windows_server_2003_enterprise_edition_itanium
• Microsoft windows_server_2003_standard_edition
• Microsoft windows_server_2003_web_edition
• Microsoft windows_xp_64-bit_edition SP1
• Microsoft windows_xp_64-bit_edition
• Microsoft windows_xp_64-bit_edition_version_2003
• Microsoft windows_xp_home SP1
• Microsoft windows_xp_home SP2
• Microsoft windows_xp_home
• Microsoft windows_xp_media_center_edition SP1
• Microsoft windows_xp_media_center_edition SP2
• Microsoft windows_xp_media_center_edition
• Microsoft windows_xp_professional SP1
• Microsoft windows_xp_professional SP2
• Microsoft windows_xp_professional
• Microsoft windows_xp_tablet_pc_edition SP1
• Microsoft windows_xp_tablet_pc_edition SP2
• Microsoft windows_xp_tablet_pc_edition
• Nortel_networks ip_softphone_2050
• Nortel_networks mobile_voice_client_2050
• Nortel_networks optivity_telephony_manager_(otm)
• Nortel_networks symposium_web_center_portal_(swcp)
• Nortel_networks symposium_web_client

References

• BugTraq: 11466
• CVE: CVE-2005-0053
• URL: http://www.kb.cert.org/vuls/id/939688
• URL: http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx