A security researcher has discovered a new exploit for Microsoft Corp.’s Windows XP Service Pack 2 that allows programs to be planted and executed on fully-patched systems.
The researcher, known as http-equiv and operator of the malware.com Web site, discovered a weakness in the local security zone of Internet Explorer which, through the use of the HTML Help control, allows security restrictions in the zone to be bypassed.
In combination with a separate vulnerability, in which drag-and-drop operations permit executable content to be placed on the system, the result of the attack is the delivery and execution of potentially hostile code from an external Web site. The researcher provides a proof of concept example on the site.
The drag-and-drop component of the example is surprising in light of Microsoft’s recent patching of a related vulnerability. Thor Larholm, senior security researcher for PivX Solutions, said the Microsoft patch, designated MS04-038, “does not patch the drag-and-drop problem directlyinstead it tries to prevent its use by limiting the types of files that can be used in DYNSRC.”
DYNSRC specifies the address of a media object used in a Web page. “As http-equiv demonstrates in his original post, this restriction could be circumvented,” Larholm said.
The problem is relatively minor and can be patched by Microsoft without too much bother, Larholm said. In the meantime, it can be circumvented by disabling a particular shell object, Shell.Explorer, by setting its “kill bit” in the registry. PivX Inc. is providing a registry fix for doing this on their Web site.
In order to deliver and run the attack code the user must perform a drag-and-drop operation. In a real-world attack, users would probably be enticed with a media file such as an image or music, but the file would contain the attack code, according to a description written by Symantec Corp.
A Microsoft spokeswoman said the company is investigating reports of a vulnerability affecting Windows XP Service Pack 2 and earlier versions of Windows that could enable an attacker to place a malicious file on a user’s system.
“Microsoft is not aware of any customer impact at this time. However we will continue to investigate the issue to determine the appropriate course of action to protect our customers. This might include providing a fix through our monthly patch release process or an out-of-cycle update, depending on customer needs,” she said.
Microsoft also advises customers who have applied the latest Internet Explorer update, MS04-038, to set the “Drag and Drop or copy and paste files” option in the Internet and Intranet zone to “Disable” or “Prompt.” Once this setting is changed, the spokeswoman said, the attack described in the report will not succeed.
In addition, customers who have set their Internet Security zone settings set to high will not impacted by this vulnerability.
Editor’s Note: This story was updated to include additional information from Microsoft.
Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.