Reader Comments

Such crap. Who drags and drops things from their browser onto their harddrive with regularity? I wish the same people that constantly pick apart Microsoft products for these flaws would also dedicate their time to some of these "oh-so-secure" opensource projects.

created another proof-of-concept based on http-equiv's code that hides both the image to drag and the local folder you drop it to. As a result using the window scrollbar will install malware in your startup folder. A little 5x5 pixel "drop zone" will automaticly follow your mouse. Just drag the window scrollbar as usual (and a hidden image at the same moment) and whereever you release the mouse button you will drop an exe file to your shell:startup (as long as you remain inside the browser window of course). Demo website: http://www.mikx.de/scrollbar/ Dragging the window scrollbar is a common behavior - even if i can't believe there was a world before mouse wheels. A common user will probably don't recognize the installation at all. ______________________ Care to reply again, md_detroit? " onFocus="clearText(this)" TABINDEX="2" >Hey MD, you know..pot/kettle=black? You might do a little research...if you bothered you would find _________________________ To proof it's not a "hype" created by the media or companies like secunia, "mikx" created another proof-of-concept based on http-equiv's code that hides both the image to drag and the local folder you drop it to. As a result using the window scrollbar will install malware in your startup folder. A little 5x5 pixel "drop zone" will automaticly follow your mouse. Just drag the window scrollbar as usual (and a hidden image at the same moment) and whereever you release the mouse button you will drop an exe file to your shell:startup (as long as you remain inside the browser window of course). Demo website: http://www.mikx.de/scrollbar/ Dragging the window scrollbar is a common behavior - even if i can't believe there was a world before mouse wheels. A common user will probably don't recognize the installation at all. ______________________ Care to reply again, md_detroit?

Here you go, disaffected misfit high school kids, here's a loaded gun, let's show your parents how much you hate them! Over here Islamic terrorists, how would you like a simple recipe to make the equivilent of C4 out of common home products, kill the infidel, viva gihad! Evil hacker scumbags, here it is, a blueprint for your next malware attack, complete with sample source, still beats SP2, could do some real damage with this one -- enjoy! Oh hey, don't forget these are just to prove it's not media hype, you understand, don't actually use any of these to kill people or destroy IT... oh hell, they already left, hmm... Thing about all of the above, in the immortal words of Andrew Dice Clay, "upside down it's all the same s#!t." The inherent danger of these constructs has been well proven. Release of these "proofs of concept" makes them available to uninspired creeps who likely never would've come up with anything close on their own. The only thing it will prove is as obvious and predictable as it is tragic: that these "researchers'" work can and will be used against us, the computing public -- remember us? Yes that's right, the people you don't give a damn about... well, looking forward to the destruction your work will spawn this time, good job, keep it up, heaven knows we can always use more mayhem. -Mark McGinty

"Who drags and drops things from their browser onto their harddrive with regularity?" Mac users do. Of course, this vulnerability doesn't affect them, so it doesn't really matter. They can go on using their computers without worry.

Dear Mr. MD_Detroit, Just how much does MS pay you to say sweet things about them? Your denial of something occurring reminds me of riverboat personnel that deny official, written military testamonials. Just because you claim that it's not important doesn't make it so. It's getting to the point with the MS browser that one needs to question the value of it's integration to the OS. This integration is its biggest problem. It's quite funny when you think that MS did this on purpose in order to stifle its competition. The continuing blow-back on MS from the secuity leaks--that they designed--will be their own undoing. LOL! Thanks, BM_MN

You have got to be kidding. Detroit is right, you people really are losers

Mr Md_detroit and Mr Elmurid, it is a rather a rude gesture to dismiss emphatically the evidence put forward by Mr BartLansing. Go to http://www.mikx.de/scrollbar/ and see the evidence before you demonstrate you sheer ignorance.