Matthew Murphy has reported a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to error in the timing of drag-and-drop events when certain objects not derived from HTML documents (e.g. files within a folder view) are dragged. This race condition can be exploited to place arbitrary files on a user’s system by tricking the user into interacting with a malicious web site.
The vulnerability is related to: SA12321
Successful exploitation requires a certain amount of timing and user interaction.
Solution: Disable Active Scripting support for all but trusted sites.
Set the kill bit on the Shell.Explorer control.
Continue reading “Internet Explorer Drag-and-Drop Vulnerability”