New IE Flaw Also Affects Windows XP SP2

Such crap. Who drags and drops things from their browser onto their harddrive with regularity? I wish the same people that constantly pick apart Microsoft products for these flaws would also dedicate their time to some of these "oh-so-secure" opensource projects.

md_detroit August 23, 2004 (Article Rating: )

created another proof-of-concept based on http-equiv's code that hides both
the image to drag and the local folder you drop it to. As a result using the
window scrollbar will install malware in your startup folder.

A little 5x5 pixel "drop zone" will automaticly follow your mouse. Just drag
the window scrollbar as usual (and a hidden image at the same moment) and
whereever you release the mouse button you will drop an exe file to your
shell:startup (as long as you remain inside the browser window of course).

Demo website: http://www.mikx.de/scrollbar/

Dragging the window scrollbar is a common behavior - even if i can't believe
there was a world before mouse wheels. A common user will probably don't
recognize the installation at all.
______________________

Care to reply again, md_detroit?
"
onFocus="clearText(this)"
TABINDEX="2" >Hey MD, you know..pot/kettle=black? You might do a little research...if you bothered you would find <NOTE THE BELOW SNIP WAS TAKEN FROM THE FULL DISCOSURE LIST, PROPS TO MIKX, WHO I'VE SNIPPED HERE>

_________________________
To proof it's not a "hype" created by the media or companies like secunia, "mikx" <mikx@mikx.de>
created another proof-of-concept based on http-equiv's code that hides both
the image to drag and the local folder you drop it to. As a result using the
window scrollbar will install malware in your startup folder.

A little 5x5 pixel "drop zone" will automaticly follow your mouse. Just drag
the window scrollbar as usual (and a hidden image at the same moment) and
whereever you release the mouse button you will drop an exe file to your
shell:startup (as long as you remain inside the browser window of course).

Demo website: http://www.mikx.de/scrollbar/

Dragging the window scrollbar is a common behavior - even if i can't believe
there was a world before mouse wheels. A common user will probably don't
recognize the installation at all.
______________________

Care to reply again, md_detroit?


BartLansing August 23, 2004 (Article Rating: )

Here you go, disaffected misfit high school kids, here's a loaded gun, let's show your parents how much you hate them! Over here Islamic terrorists, how would you like a simple recipe to make the equivilent of C4 out of common home products, kill the infidel, viva gihad! Evil hacker scumbags, here it is, a blueprint for your next malware attack, complete with sample source, still beats SP2, could do some real damage with this one -- enjoy!

Oh hey, don't forget these are just to prove it's not media hype, you understand, don't actually use any of these to kill people or destroy IT... oh hell, they already left, hmm...

Thing about all of the above, in the immortal words of Andrew Dice Clay, "upside down it's all the same s#!t." The inherent danger of these constructs has been well proven. Release of these "proofs of concept" makes them available to uninspired creeps who likely never would've come up with anything close on their own. The only thing it will prove is as obvious and predictable as it is tragic: that these "researchers'" work can and will be used against us, the computing public -- remember us? Yes that's right, the people you don't give a damn about... well, looking forward to the destruction your work will spawn this time, good job, keep it up, heaven knows we can always use more mayhem.

-Mark McGinty

mmcginty_SQL August 24, 2004 (Article Rating: )

"Who drags and drops things from their browser onto their harddrive with regularity?"

Mac users do. Of course, this vulnerability doesn't affect them, so it doesn't really matter. They can go on using their computers without worry.

WinThose August 25, 2004 (Article Rating: )

Dear Mr. MD_Detroit,

Just how much does MS pay you to say sweet things about them? Your denial of something occurring reminds me of riverboat personnel that deny official, written military testamonials. Just because you claim that it's not important doesn't make it so.

It's getting to the point with the MS browser that one needs to question the value of it's integration to the OS. This integration is its biggest problem. It's quite funny when you think that MS did this on purpose in order to stifle its competition. The continuing blow-back on MS from the secuity leaks--that they designed--will be their own undoing. LOL!

Thanks,
BM_MN

bm_mn August 25, 2004 (Article Rating: )

You have got to be kidding. Detroit is right, you people really are losers

elmurid August 27, 2004 (Article Rating: )

Mr Md_detroit and Mr Elmurid, it is a rather a rude gesture to dismiss emphatically the evidence put forward by Mr BartLansing. Go to <a href='http://www.mikx.de/scrollbar/' target='_blank'>http://www.mikx.de/scrollbar/</a> and see the evidence before you demonstrate you sheer ignorance.

truehighspeed August 28, 2004 (Article Rating: )