Info

Disclosure

Jul 11, 2004

Discovery

Unknown

Dates

Exploit

Jul 11, 2004

Solution

Unknown

Description

Microsoft Internet Explorer contains a flaw that may allow a malicious user to induce a drag-and-drop event within the browser. The issue is triggered when the victim clicks on a link with the popup.show() function defined as an onMouseclick event. It is possible that the flaw may allow an attacker to deliver executable code to the victim's computer without further user interaction, resulting in a loss of integrity.

Classification

Location: Local Access Required, Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability. Also, it is possible to correct the flaw by implementing the following workaround: Disable ActiveX controls and Active Scripting for untrusted web sites.

Products

Microsoft Corporation	Internet Explorer	5.01 SP3
		5.01 SP4
		5.5 SP2
		6
		6 SP1

References

Bugtraq ID: 10690
Related OSVDB ID: 10708 3094 7891
Secunia Advisory ID: 12048 9711
Keyword: HijackClick 3 window.createPopup()
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-07/0105.html
http://archives.neohapsis.com/archives/bugtraq/2004-07/0107.html
Other Advisory URL: http://freehost07.websamba.com/greyhats/hijackclick3-discussion.htm

Credit

Paul - paulgreyhats.cjb.net - Personal Site

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

Internet Explorer

References

Credit