Matthew Murphy has reported a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to error in the timing of drag-and-drop events when certain objects not derived from HTML documents (e.g. files within a folder view) are dragged. This race condition can be exploited to place arbitrary files on a user’s system by tricking the user into interacting with a malicious web site.

The vulnerability is related to: SA12321

Successful exploitation requires a certain amount of timing and user interaction.

Solution: Disable Active Scripting support for all but trusted sites.

Set the kill bit on the Shell.Explorer control.

[Continue reading Secunia Advisory SA18787]

[tags]security,internet explorer,vulnerability,access,ie,system,drag and drop[/tags]