Microsoft: IE Zero-Day Bug Not Worth Patching
The drag-and-drop flaw in IE 5.01, 5.5, and 6.0 was first reported to Microsoft in August 2005, and is somewhat similar to one addressed in a February 2005 security bulletin.
"If an attacker can persuade a user to drag any object within the top-level window that his/her site is contained in, malicious script can redirect these inputs to other top-level windows, potentially resulting in an unintended consequence such as file installation," read the advisory published by SecuriTeam.
Microsoft, however, downplayed the threat. "We found this issue has very exact and specific requirements," wrote a member of the Microsoft Security Response Center team on the group's blog. "It is only problematic in specific circumstances that require the user to take a specific action timed very precisely."
For that reason, Microsoft doesn't plan to plug the vulnerability, at least not immediately. "We will update the behavior, but in looking at the severity of the issue and balancing the risk inherent in any fix, we believe a future service pack is the best way to address this issue."
Microsoft has committed to a third service pack for Windows XP (which would be called Windows XP SP3), but recently rescheduled the update for the second half of 2007, essentially a year after it releases Windows Vista.
Some security companies disagreed with Microsoft. San Diego, Calif.-based Websense, for instance, warned its customers late Monday that the zero-day bug wasn't zero-risk. "Although we believe this vulnerability is not as easy to exploit as some in the past, (see WMF vulnerability) a risk still remains. We have experimented with deception scenarios and believe that users could be duped into following the necessary actions to be exploited." Danish vulnerability tracker Secunia rated the threat as "Less Critical," the tag for the number 2 spot in its 1 through 5 scale.