We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Drag-and-drop flaw in IE reported

But Microsoft won't issue patch yet

Security analysts and vendors are reporting a flaw in Microsoft's Internet Explorer browser that could allow malicious code to run and result in a hacker taking over complete control of a computer.

Microsoft was informed of a vulnerability with Explorer's drag-and-drop function in August 2005 after it was first found by Matthew Murphy, Noam Rathaus, chief technical officer for Beyond Security, said yesterday. The company, which helped Murphy report the flaw to Microsoft last year, runs an independent security site called SecuriTeam.

Websense, which issued a warning yesterday, wrote that a specially crafted website could trick a user into dragging and dropping an item from one window to the other. After the user released the mouse in the newly focused window, code could run without consent, Websense said.

Microsoft said it wouldn't issue an immediate patch, but will instead wait to issue a fix in Service Pack 2.0 for Windows Server 2003 and Windows XP Service Pack 3.0, Rathaus said. Microsoft officials were not immediately available for comment.

The SecuriTeam site went public with the vulnerability yesterday after consulting Microsoft, Rathaus said. SecuriTeam detailed three methods to prevent the flaw from being exploited.

SecuriTeam's advisory criticised Microsoft's decision not to issue a patch, saying the company's "conclusion appears fundamentally inconsistent with the way related issues were handled by Microsoft". Further, Websense said the vulnerability is not as easy to exploit as some others, but a risk remains.

"They [Microsoft staff] don't see the issue being that important," Rathaus said. "They are not going to fix it any time soon."

As part of its monthly patch update, Microsoft plans to release seven fixes today for Windows Media Player, Windows and Microsoft Office.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia