• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft Internet Explorer Mouse Click Event Hijacking Vulnerability

A vulnerability exists in Internet Explorer when handling specific DHTML events, allowing a malicious Web page to intercept mouse click events to perform unintended drag and drop operations.

In particular, it is possible to simulate a mouse drag and drop event through use of the moveBy() DHTML method of the window object. This attack may also apply to the moveTo(), resizeBy(), and resizeTo() methods of the window object. This could be exploited by creating a link that when clicked will cause an object such as an executable or shortcut to be stored on the client computer, such as in the startup folder.

Successful exploitation will permit execution of arbitrary code in the context of the client user.

It should be noted that a later variant of this issue exists (BID 9108) that evades the fixes provided in MS03-048. This later variant is addressed by MS04-004.