'Drag-and-Drop' IE Flaw Persists

KingFishKingFish
edited October 2004 in Science & Tech
Microsoft officials confirmed the existence of two vulnerabilities within Internet Explorer 6.0 that affect all versions of Windows, including Windows XP Service Pack 2 users.
It's a continuation of the "drag-and-drop" flaw security officials at Microsoft have spent more than two months fixing. The flaws, rated "highly critical" by security outfit Secunia Research in a report Wednesday, when used in conjunction, can allow the owner of a Web site to dump a malicious file into a user's startup folder, which will be executed when the system is rebooted. The first vulnerability is caused by insufficient validation of drag-and-drop events from the "Internet Zone" to the "Local Computer" zone, the report states. Images or files downloaded by a user can be embedded with HTML code containing arbitrary scripts and bypass the security measures in place.
Oh wonderful. -KF

Source: Internet News
Sign In or Register to comment.