August 20, 2004 1:04 PM PDT

Drag-and-drop flaw mars Microsoft's latest update

An independent researcher warned that an Internet Explorer vulnerability could turn drag-and-drop into drag-and-infect, even on computers updated with Microsoft's latest security patch.

The flaw affects the latest version of Internet Explorer running on Windows XP, even after the latest major update--known as Service Pack 2--is applied. An attacker using the flaw could install a program on a victim's computer after convincing the person to visit a malicious Web site and click on a graphic.

The attacker's program would be placed in the Windows startup folder and would run the next time the user restarted the computer. The security researcher who discovered the flaw, known by the online nickname "http-equiv," posted an example to show the power of the flaw.

"If you look at the Web page, all you see are two red lines and an image; drag the image across the two lines and drop it," he said. "What you have actually done is drop (a program) into your startup folder. Next time you switch the computer on it runs the program."

Security information company Secunia believes the program that takes advantage of the issue could be simplified to only require a single click from the user. Secunia rated the flaw as "highly critical," its second-highest rating of vulnerability threats.

Microsoft said the issue did not pose a serious risk to users because it requires an attacker to trick people into visiting a Web site and taking some action at the site.

"Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," a company representative said, adding that the software giant's security experts are continuing to research the issue.

Security researchers predicted that vulnerabilities would quickly be found in Windows XP Service Pack 2, or SP2. The drag-and-drop flaw is perhaps the most serious found to date in computers that have been patched with Microsoft's major security update.

Service Pack 2 promises to add better security to Windows XP's handling of network data, program memory, browsing activity and e-mail messages, by changing the system's code and configuration. A revamped firewall, for example, attempts to prevent malicious applications on a PC from connecting to the Internet by requiring that the user give specific permission for each attempt.

The SP2 software, which took almost a year to develop, is seen by many as a response to the attack launched by the MSBlast worm on Aug. 11, 2003. Almost 26 days before, Microsoft had issued a patch for the security hole exploited by the worm. However, many people did not install the fix, even though there was widespread expectation that a virus would be created to take advantage of the flaw.

Ironically, this time around, most people have not had a chance to update their computers with the security patch. The update became available only on Wednesday and will require almost a month to reach every Windows XP user who wants the software, Microsoft said.

Even so, security researcher "http-equiv" believes that the software giant's latest patch does its job.

"The patch really does lock down the machine nicely, and whatever anyone finds now will be completely different to the previous year's findings," he said.

7 comments

Join the conversation!
Add your comment
Surprised!
After waiting a year for this update there still are critical flaws
and then MS reply is:
"Given the significant amount of user action required to execute
an attack, Microsoft does not consider this to be a high risk for
customers," a company representative said"
Doesn't MS get it, average Joe user will click on an image or will
think of it as an Internet game and will be fooled by it. What MS
needs to do is unbundle IE from the system. Then most of the
problems will disappear.

But then there is this problem:
"Ironically, this time around, most people have not had a chance
to update their computers with the security patch. The update
became available only on Wednesday and will require almost a
month to reach every Windows XP user who wants the software,
Microsoft said."

Then the person who found the flaws goes on to say:
"The patch really does lock down the machine nicely, and
whatever anyone finds now will be completely different to the
previous year's findings,"

Which means that the next big virus, trojan, etc, will be even
harder for the average user to be wary of. And most likey most
users will want to turn off the firewall in XP SP2 because they will
be bothered by all the warnings and won't be able to play most
of the online games.

I think I will wait until XP SP3 as it seems Longhorn will never
come. Actually I will just turn my laptop into a Linux machine
and use that.
Posted by wrwjpn (113 comments )
Reply Link Flag
Bogus
Secunia had access to the Release Candidates and probably know about this for months. They may even have been involved in the beta in which case thery may have known about it even longer. Instead of warning MS about the flaw, they chose to wait till SP2 was released and then trumpet their discovery.
Posted by Not Bugged (195 comments )
Reply Link Flag
What is Microsoft thinking?
Belittling the problem as "unlikely" is stupid. Evidently, they forgot about the recent spate of HACKED web-sites that had their contents altered to take advantage of a previous vulnerability.

Hello, Microsoft? It isn't hard to hack a lot of insecure sites, and alter them to take advantage of this new bug! It was done before, and beleive it or not, it can be done AGAIN!

... but don't worry, Microsoft says it's highly unlikely that history will repeat itself again.

... and the patch for this low priority flaw will certainly be out soon. Hell, it took them a quick-turn-around of ONE MONTH to come out with the last patch that addressed a Day-Zero vulnerability -- and that was rated CRITICAL!

Now, where is that link to Firefox?
Posted by Tex Murphy PI (165 comments )
Reply Link Flag
Thanks the gods...
I just purchased a brand new Apple PoweBook. No more
Microsoft for me. :)
Posted by olePigeon (39 comments )
Reply Link Flag
easily prevented
Tools/Internet Options/Security/Internet/Custom Level and set "Drag and drop or copy and paste files" to "disable" or at the least "prompt".

If people spent even half the time they use to bash IE to figure out what all the different settings do the web would be a much safer place for everyone.

While I agree that it shouldn't even be set to "enable" by default, the story was obviously blown out of proportion - as so many about Windows and IE lately - by not mentioning this very simple workaround and saying the only option is to disable scripting or to switch browsers.
Posted by Jan Modaal (40 comments )
Reply Link Flag
Your absolutely right...
.
Your Absolutely Right...
.
If, (within minutes of using a new computer) the average consumer can't make dozens of UI-tweaks, install tens-of-megabytes of updates, and distrust EVERYTHING they see on their OWN computer-screens. They're DUMB, and should be held ENTIRELY responsible for the SERIOUS DESIGN FLAWS, built-into, the Microsoft products which they purchased (even if their purchase was usually due more to an "...illegally created monopoly" than to any real market-choice).

As someone who has worked in the 'IT' field for over two-decades, ...providing support and training to all levels of 'computer-users' and 'IS personnel', I personally completely agree with this philosophy. And I believe Bill Gates also 'officially' concurs (though he actually referred to the victims of such "IE security-flaws" as, "...stupid").
.
Posted by Gayle Edwards (262 comments )
Link Flag
Microsoft Bashing
This is absurd. While I don't actually use IE much (Firefox has tabs. Ahhhh.) this is not a flaw. Microsoft cannot protect against stupidity. If people choose to do actions that are not safe then it is their fault. Knives cut people, but you don't see warnings on them. Why? Because if you cut yourself it is because you made a mistake. However if the knife could go on rampages then it would be different. All Microsoft needs to protect against is Worms, and the firewall does that. It is time that people take responsibilty for their own mistakes.

Andrew J Glina
Sinner Computing
Posted by Andrew J Glina (1673 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.