Monday, February 13, 2006
Internet Explorer: a new drag and drop pitfall
Under certain circumstances, if a clever attacker with an intricately crafted web site can trick you into picking something up with the mouse and moving it, he can install unwanted software on your machine.
In real life the scenario would something like you visit an untrustworthy web site, it has a banner or a game like "move the monkey into the barrel and win $25!", you fall for the trick, and you get a piece of spyware or something nastier on your computer.
Microsoft does not see this as a big deal and doesn't have a patch available now or soon.
If you are forced to use Internet Explorer, stay out of bad neighborhoods, don't let yourself be inveigled into playing interactive games, hope the bad guys don't booby-trap the advertising that you see on legitimate web sites, and ask your technical adviser whether you should try the recommendations in this technical article about the Internet Explorer drag and drop vulnerability. All those recommendations will cost you functionality. Understand well what you're giving up.
|
In real life the scenario would something like you visit an untrustworthy web site, it has a banner or a game like "move the monkey into the barrel and win $25!", you fall for the trick, and you get a piece of spyware or something nastier on your computer.
Microsoft does not see this as a big deal and doesn't have a patch available now or soon.
If you are forced to use Internet Explorer, stay out of bad neighborhoods, don't let yourself be inveigled into playing interactive games, hope the bad guys don't booby-trap the advertising that you see on legitimate web sites, and ask your technical adviser whether you should try the recommendations in this technical article about the Internet Explorer drag and drop vulnerability. All those recommendations will cost you functionality. Understand well what you're giving up.
# posted by Frederick @ 10:04 PM Email to a friend:
Haloscan: they provide trackback