Internet Explorer drag&drop 0day
one of our writers, matthew murphy, has just disclosed a vulnerability in internet explorer.
all credit belongs to matthew, this is 100% his work and his disclosure.
microsoft decided to patch this only next year with sp3. as by now 6 mounths passed since microsoft was contacted, matthew alerted them ahead of time he will make a public release on the 13th (today).
there have been several attempts to help matthew and talk to microsoft (including by me, as well as several others) and convince them this is indeed “bullet-in worthy” to avoid this public release.
this is not a critical vulnerability, as it requires user interaction. however, it is serious and shouldn’t be down-played.
here are some interesting ways to exploit this using social engineering:
scroll-bar, “smack the monkey”, moving naked girl (move mouse to make me…), web game, shopping list/wish list, “calibrate your mouse”, etc.
the advisory (and suggested work-around) can be found here:
in my opinion, this comes to prove 0days are usually a “myth” (wmf being a good example of a real 0day), as this particular vulnerability has been known to me and some others for some time now awaiting public release.
does anyone still think bad guys don’t exploit (to whatever goals) a 0day if it is out there?