Well, that didn’t take long did it? The first bug in IE that has come out after SP2, and that Service Pack 2 for Windows XP doesn’t fix has been found.
Secunia.com has found a new “highly critical” flaw in Internet Explorers “drag and drop” system that allows a malicious site to put an executable file onto the users file system, or as they put it:
“The vulnerability is caused due to insufficient validation of drag and drop events issued from the “Internet” zone to local resources. This can be exploited by a malicious website to e.g. plant an arbitrary executable file in a user’s startup folder, which will get executed the next time Windows starts up.
http-equiv has posted a PoC (Proof of Concept), which plants a program in the startup directory when a user drags a program masqueraded as an image.”
The Inquirer has reported this as well.
Secunia’s advice on how to work around the problem is:
“Disable Active Scripting or use another product.”
Since disabling Active Scripting essentially disables IE for many sites, the second option is the one I’d recommend. (big surprise I know. 🙂 ) My suggestion is as always, to install Firefox for Windows, and get off the security flaw round about. (It’s better, and it’s free. So I put it to you that if your reading this page with Internet Explorer, your showing a pretty serious lack of respect for your own files and data, not to mention your time.)
Regards
Franki
