From; Panda Oxygen3 24h-365d wrote: "Experience does not err, it is only your judgment that errs" Leonardo da Vinci (1452 - 1519); Italian artist and inventor. - Drag and drop vulnerability in Thunderbird and Firefox - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com) Madrid, March 25, 2005- A vulnerability has been reported which affects both the Firefox browser and the Thunderbird mail client and which can be exploited by remote attackers to insert malware on a user's system. The problem is that images dragged and dropped from a web page to the desktop retain their name and extension. If the file has an executable extension, it could be run instead of being opened by the corresponding multimedia application. To exploit this vulnerability, an attacker would need to construct a valid image file which at the same time was executable. In Windows, this can be done using a hybrid of a GIF image and a batch file. The attacker then needs to trick the user into the dragging the image onto the desktop and double-clicking on it. ------------------------------------------------------------ To contact with Panda Software, please visit: http://www.pandasoftware.com/about/contact/ ------------------------------------------------------------ *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member