[virusinfo] Drag and drop vulnerability in Thunderbird and Firefox - 3/25/05
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Sat, 26 Mar 2005 10:41:13 -0800
From; Panda Oxygen3 24h-365d wrote:
"Experience does not err, it is only your judgment that errs"
Leonardo da Vinci (1452 - 1519); Italian artist and inventor.
- Drag and drop vulnerability in Thunderbird and Firefox -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)
Madrid, March 25, 2005- A vulnerability has been reported which affects
both the Firefox browser and the Thunderbird mail client and which can be
exploited by remote attackers to insert malware on a user's system.
The problem is that images dragged and dropped from a web page to the
desktop retain their name and extension. If the file has an executable
extension, it could be run instead of being opened by the corresponding
multimedia application.
To exploit this vulnerability, an attacker would need to construct a valid
image file which at the same time was executable. In Windows, this can be
done using a hybrid of a GIF image and a batch file. The attacker then
needs to trick the user into the dragging the image onto the desktop and
double-clicking on it.
------------------------------------------------------------
To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] Drag and drop vulnerability in Thunderbird and Firefox - 3/25/05
