Internet Explorer drag&drop 0day
February 13th, 2006 by SecuriTeam, Filed under: Web, Microsoft, Commentary, Culture
one of our writers, matthew murphy, has just disclosed a vulnerability in internet explorer.
all credit belongs to matthew, this is 100% his work and his disclosure.
microsoft decided to patch this only next year with sp3. as by now 6 mounths passed since microsoft was contacted, matthew alerted them ahead of time he will make a public release on the 13th (today).
there have been several attempts to help matthew and talk to microsoft (including by me, as well as several others) and convince them this is indeed “bullet-in worthy” to avoid this public release.
this is not a critical vulnerability, as it requires user interaction. however, it is serious and shouldn’t be down-played.
here are some interesting ways to exploit this using social engineering:
scroll-bar, “smack the monkey”, moving naked girl (move mouse to make me…), web game, shopping list/wish list, “calibrate your mouse”, etc.
the advisory (and suggested work-around) can be found here:
http://www.securiteam.com/windowsntfocus/5mp0b0uhpa.html
in my opinion, this comes to prove 0days are usually a “myth” (wmf being a good example of a real 0day), as this particular vulnerability has been known to me and some others for some time now awaiting public release.
does anyone still think bad guys don’t exploit (to whatever goals) a 0day if it is out there?
gadi evron,
ge@beyondsecurity.com.
-
Scan your web site for vulnerabilities with a Vulnerability Scanner - Be Safe!
Subscribe
Subscribe
Thankfully I have not been using IE for over 3 years…
[…] Today, a Securiteam researcher, Matt Murphy, updated an advisory to explain in depth how an IE exploit is achieved. It was covered in great detail, not in the blog entry, but in the actual advisory. […]
Windows XP SP2 is not vulnerable.
I’ve tested with the latest Internet Explorer 6 SP2 of Windows XP SP2 and it’s NOT vulnerable.
sunshine,
the references at the end of the securiteam advisory are not correct. for instance, the real bugtraq database entry is http://www.securityfocus.com/bid/16352.
I will notify Matthew Murphy. Thanks!
It works with XP SP2, maybe you POC isn’t working there for some reason?
XP SP2 *is* vulnerable in default configuration. SP2 (US English) was the platform where the vulnerability was discovered.
Vulnerabilidad arrastrar-y-soltar en Internet Explorer (0-day)
Se ha identificado una vulnerabilidad en Microsoft Internet Explorer, la cual podría ser explotada por atacantes remotos para ejecutar código arbitrario en el sistema del usuario atacado.El problema es debido a que Internet Explorer no procesa..%2
http://blogs.technet.com/msrc/default.aspx
In working with Matt and our internal teams we found this issue has very exact and specific requirements. It is only problematic in specific circumstances that require the user to take a specific action timed very precisely.
The specific configuration consists of having two windows open: one an IE window, and the other a folder to a resource. The specific user action is the user clicking and dragging an object from the IE window over to the folder window. The timing is very exact: when this is happening the windows would flip back and forth visibly at a set interval. The user would have to time it such that they catch the windows as they’re flipping back and forth.
Raul, can you email me please?
ge@linuxbox.org
[…] ישנם אתרים באינטרנט אשר העלו סברות כיצד יש לדעתן לנצל את הפרצה הזאת […]