CVE-2006-3281

Name of the Vulnerable Software and Affected Versions Microsoft Internet Explorer version 6.0 Windows Explorer (affected versions not specified)

Description The issue arises from the improper handling of Drag and Drop events, allowing remote user-assisted attackers to execute arbitrary code. This can be achieved via a link to an SMB file share with a filename containing encoded .. (%2e%2e%5c) sequences and an extension that includes the CLSID Key identifier for HTML Applications (HTA). An attacker could exploit this by constructing a malicious Web page, potentially allowing them to save a file on the user's system if the user visits a malicious Web site or views a malicious e-mail message. Successful exploitation could grant the attacker complete control of the affected system, requiring user interaction.

Recommendations For Microsoft Internet Explorer version 6.0, update to a newer version to mitigate the risk. For Windows Explorer, at the moment, there is no information about a newer version that contains a fix for this vulnerability.