Microsoft Internet Explorer suffers from a vulnerability in its handling of certain drag-and-drop events. As a result, it is possible for a malicious web site to predict and exploit the timing of a drag-and-drop operation such that any drag operation (including using scroll-bars) could potentially lead to the installation of arbitrary files in sensitive locations that may enable further system compromise.
Affected Systems:
* Microsoft Internet Explorer 5.01
* Microsoft Internet Explorer 5.5
* Microsoft Internet Explorer 6.0
– Windows 98
– Windows 98 Second Edition
– Windows Millennium Edition
– Windows 2000
– Windows XP
– Windows Server 2003
How to block Drag-and-Drop Vulnerability:
1. Set a Kill Bit on the Shell.Explorer Control
Setting a kill bit on this control will prevent Internet Explorer from displaying the rich folder view interface that gives rise to this attack. For more information about setting kill bits, please see Microsoft Knowledge Base Article 240797: http://support.microsoft.com/kb/240797
The CLSID of this component as deployed on Windows XP is: {8856F961-340A-11D0-A96B-00C04FD705A2}
Tools to automate the process of setting this kill bit have been provided at: http://student.missouristate.edu/m/matthew007/tools/shellkill.zip PGP signature: http://student.missouristate.edu/m/matthew007/tools/shellkill.zip.asc
Included in this archive are an Administrative Template (.adm) and a VBScript file (.vbs) which implement this setting. The Administrative Template also allows an administrator to work around a specific case of functionality loss caused by the implementation of this workaround. Instructions on using both files are contained within the readme file in the archive.
IMPACT:
This workaround will cause Internet Explorer to no longer render folder views for local directories, network file shares, FTP directories and web folders by default. The ability to browse FTP directories in Internet Explorer can be restored by clearing the “Enable Folder View for FTP Sites” option in Internet Explorer’s “Advanced” options. However, this countermeasure is known to expose another security vulnerability that does not appear to have been fixed as of this writing: http://lists.grok.org.uk/pipermail/full-disclosure/2003-June/005321.html
For ordinary browsing purposes, the Windows Explorer tool is unaffected by this change. This defensive measure has been successfully implemented in at least one commercial software product and tested on a significant scale prior to the release of this advisory. Therefore, it is the belief of the author that potential loss of functionality *should* be minimal. As with all measures, you are encouraged to test the impact of this workaround prior to making any decision about deployment.
2. Prevent Automatic Navigation to Local Intranet Zone (Windows XP SP2, Windows Server 2003 SP1)
This workaround will prevent Internet content in Internet Explorer from automatically navigating to URLs within the Local Intranet Zone. This effectively prevents the introduction of malicious code to the local system via the network redirector. To implement this workaround, follow these steps:
1. In Internet Explorer’s Tools menu, choose “Internet Options…”
2. Select the “Security” tab and choose “Local Intranet”
3. Click the “Custom Level” button
4. Set the “Web sites in less privileged content zone can navigate into this zone” setting to “Disable” or “Prompt”.
5. Click OK to close any dialogs and optionally, close Internet Explorer.
IMPACT:
This workaround will block or prompt before allowing any navigation to LAN resources from the Internet Zone. Direct access to LAN resources continues to function normally. As a result of this workaround, attempts to access local intranet content (for instance, web applications on corporate Intranets) from web sites outside of the LAN will fail or produce prompts, depending upon the chosen setting.
3. Disable Active Scripting
This workaround will prevent Internet content from executing script that could potentially cause the exploitation of this vulnerability. To implement this workaround, follow these steps:
1. In Internet Explorer’s Tools menu, choose “Internet Options…”
2. Select the “Security” tab and choose “Internet”
3. Click the “Custom Level” button
4. Set the “Active scripting” option to “Prompt” or “Disable”.
IMPACT:
This workaround will block or prompt before allowing web sites to execute any script statement. Scripting in more-privileged zones (Local Intranet, Trusted Sites) continues to function normally. Setting this option to “Prompt” may cause a significant increase in the number of security prompts received while browsing and may be ineffective in closing this vulnerability for users not capable of making an assessment of a web site’s relative trustworthiness.
Read more here.
