Posted:
Drag and Drop vulnerability still affects 'patched' IE
Even after Microsoft released in October to deal with an Internet Explorer drag and drop problem, IE is still vulnerable to a variant. This still-unpatched problem is caused by inadequate validation of drag and drop events from the Internet security zone to local resources. This vulnerability has been confirmed on fully patched systems, even with Windows XP SP2 and IE 6.0 SP2.
If this vulnerability is exploited by a hacker's Web site, it could plant HTML documents on the visiting PC. These docs could run script code on a user's system without warning. The script code in the planted HTML documents could run in the less restrictive "Local Computer" zone.
What to do: Disable the Drag and drop or copy and paste files option in Internet Explorer. This can be done as follows:
Even after Microsoft released in October to deal with an Internet Explorer drag and drop problem, IE is still vulnerable to a variant. This still-unpatched problem is caused by inadequate validation of drag and drop events from the Internet security zone to local resources. This vulnerability has been confirmed on fully patched systems, even with Windows XP SP2 and IE 6.0 SP2.
If this vulnerability is exploited by a hacker's Web site, it could plant HTML documents on the visiting PC. These docs could run script code on a user's system without warning. The script code in the planted HTML documents could run in the less restrictive "Local Computer" zone.
What to do: Disable the Drag and drop or copy and paste files option in Internet Explorer. This can be done as follows:
- Open Internet Explorer.
- Click Tools from the top menu.
- From the drop down menu, select Internet Options.
- Click on the Security tab.
- Select the Internet zone.
- Click the Custom Level button.
- Scroll down to the Miscellaneous section of options and disable Drag and drop or copy and paste files.
- Click OK on all open dialog boxes to save the changes you've made.
Anupamaa
Veer Hanuman
Parineeti
