Date: 28 October 2004
References: AL-2004.024
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2004.036 -- AUSCERT ALERT
Internet Explorer Click and Scroll ("Drag and Drop") Vulnerability
28 October 2004
===========================================================================
AusCERT Alert Summary
---------------------
Product: Microsoft Internet Explorer 6.0 Service Pack 1
Microsoft Internet Explorer 5.5 Service Pack 2
Operating System: Windows Server 2003
Windows XP (SP2)
Windows 2000
Windows NT 4.0
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
Ref: AL-2004.024
Additional Information: http://support.microsoft.com/kb/888534
- --------------------------BEGIN INCLUDED TEXT--------------------
PROBLEM:
A critical vulnerability in all current versions of Microsoft
Internet Explorer allows the execution of arbitrary code if a user
interacts with a malicious website. This could be used by attackers
to remotely compromise the system.
Proof of Concept code has been posted on public mailing lists to
demonstrate this vulnerability [1]. Note that this vulnerability is
similar to that described in AL-2004.024 [2], but has different
mitigation strategies.
VERSIONS:
All current versions of Internet Explorer are vulnerable, up to and
including Windows XP systems with Service Pack 2 installed.
IMPACT:
If an attacker can entice a user to drag and drop an image which
contains malicious script then arbitrary commands may be executed
with the permissions of the current user.
The current proof of concept combines several methods to bypass
browser security mechanisms and execute malicious code. By using
transparent images, it may be possible to trick this user into
actually performing such a drag and drop operation when they
believe they may be performing other operations such as dragging
the scroll bar or selecting text.
AusCERT has observed an increase in vulnerabilities such as this
being used to install malicious software designed for the purposes
of identity theft and financial fraud.
MITIGATION:
There are currently no patches available to fix this vulnerability.
AusCERT advises users and sites running Internet Explorer to
evaluate their exposure to these vulnerabilities and to consider
the following mitigation strategies to reduce the risk of
exploitation:
o Install the MS04-038 update and disable drag and drop or copy
and paste files. See the Microsoft website [3] for detailed
instructions.
o Use a different web browser.
AusCERT also cautions users against clicking on URLs in untrusted
email, especially spam. Additional useful information may also be
found in the AusCERT paper entitled "Protecting your computer from
malicious code" [4].
AusCERT will continue to monitor this vulnerability and any
changes in exploit activity. AusCERT members will be updated as
information becomes available.
REFERENCES:
[1] BugTraq Mailing List:
How to Break Windows XP SP2 + Internet Explorer 6 SP2
http://www.securityfocus.com/archive/1/378885
[2] AL-2004.024 -- Critical Vulnerability in Internet Explorer
Allows Remote Compromise
http://www.auscert.org.au/4328
[3] How to mitigate the Internet Explorer Click and Scroll security
issue
http://support.microsoft.com/kb/888534
[4] Protecting your computer from malicious code
http://www.auscert.org.au/render.html?it=3352
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQYCH4yh9+71yA2DNAQKJnAQAnRKocVE29iRO5WwjBCmDzWQDO3O6Tz35
dtbMLkBPotRhCI/qNkRz3fF/6bn8JdKRyOvpPH4b/DNKqc6o12807GdQehhX8StS
EWe4HCXV78tsRtZFqmj1KCX4yeYOSTdUOAkH3aq0v2DQu1JsklLLFSKDjXMYjTZd
KujQj5UUwz8=
=iJFB
-----END PGP SIGNATURE-----
|