Hey – Brian here, As we’re gearing up for release tomorrow I wanted to take a second to discuss a recent posting of a security issue to some mailing lists. Matt Murphy, a well known security researcher posted an alert today regarding a “drag and drop” issue affecting Windows. I actually handled this case and worked with Matt. We’ve been working with Matt for quite some time on this issue, and I want to thank him for working with us. We’ve had some long Instant Messenger sessions and E-mail threads while we worked together to understand the issue.
To provide some insight on this issue, it is different from past drag-and-drop issues like MS05-008. For example, the issue fixed by MS05-008 could be exploited by taking a “drag-and-drop” action within IE, like using the scrollbar. This issue is different. In working with Matt and our internal teams we found this issue has very exact and specific requirements. It is only problematic in specific circumstances that require the user to take a specific action timed very precisely.
The specific configuration consists of having two windows open: one an IE window, and the other a folder to a resource. The specific user action is the user clicking and dragging an object from the IE window over to the folder window. The timing is very exact: when this is happening the windows would flip back and forth visibly at a set interval. The user would have to time it such that they catch the windows as they’re flipping back and forth.
We will update the behavior, but in looking at the severity of the issue and balancing the risk inherent in any fix, we believe a future service pack is the best way to address this issue. Some thoughts on fixing issues in service packs – service pack allow for additional testing, including beta testing, to reduce the risk of quality issues impacting 3rd party applications. This extra testing is especially important for complicated fixes that require extensive behavior changes. That said we work hard to make sure that when we resolve issues found in service packs (as opposed to security updates) these are only for issues that are of a reduced severity, and we continually monitor those issues for a change in status.
I hope this provides some additional insight to this issue, and answers some questions. We’ll continue to work with Matt and others that have questions on this as we continue the investigation.
*This posting is provided “AS IS” with no warranties, and confers no rights.*